My company has userbase of course, but I want to allow users to login and use my applications with their social accounts e.g. Outlook, Facebook, Gmail. Something that is usually not clear to me when I read resources on the Internet on the topic is how to map the social credentials with ones in our database? I know we should use an API platform or something like that, but the user identity part is not clear to me.
You basically need to, as you noted, tap into the provided response and transform or link or provision it to existing identities in your own userbase. A lot of this depends on your method of delegating authentication to external provides and things they expose back to you as part of the user profile. You basically need to grab the user profile, parse it and then determine which field can be used to link that profile to an existing account, and then establish the authentication session based on the final result.
Here is a link to a technical walkthrough that describes the same process with an SSO solution: https://apereo.github.io/2018/04/20/cas-delegated-authn-account-linking/
Related
Here is my scenario. Imagine there is a Yoga studio that uses a professional booking and reservation system that exposes an API. Through this API an application can make a reservation for a client. The API takes the client's userid and password to make the reservation. The booking API doesn't use OAuth or any social media sign-ins.
My desire is to create an Assistant Action that would retrieve the list of classes and allow the client to make a booking.
My puzzle is what design/architecture to look towards to supply the userid/password pair required by the booking API.
How have others solved this puzzle?
Should I store the userid/password as "user state" associated with the action?
First, you should have a conversation with the API provider about why they don't provide an OAuth-based solution. This is a security vulnerability waiting to happen, if it hasn't already.
Second, you need to think very carefully about your own risk profile in this case:
Google does not allow you to collect credential information (ie - passwords) through your Action.
Because of this, you must use Account Linking to authenticate them.
This means that you will need something (ie - a database or data store) to manage their account on your side.
This database would be a good place to keep the username/password you need to use for them for the API...
...but it now means that you need to take extreme care about protecting this database.
You don't really say how this API allows for accounts to be created and managed. If these accounts are just used for you (ie - the user doesn't necessarily see them), then you can mitigate some of that risk by treating the username/password as an opaque token that you manage and generate and that the user never sees.
If this is something that the user is aware of, then you'll need to approach the account linking in one of two ways:
Have them log into your service via an app or webapp using this credential info that you will need to save (ack!) and then link to the Assistant using OAuth.
Have them log into your service via an app or webapp using Google Sign-In, which will carry over to your Action. Then have them provide the credential info for the API, which you will need to save (ack!).
I’ve built a google action that talks to my bespoke web Api.
The actions code currently has personal details hard coded into it. I need to make it so that when someone uses it for the first time it asks them for a username password and URL.
Is there a way to do this? Or maybe there is a way for a user to add those details to there google account in some way that the action can read them.
Alternatively is there a way to publish an action so only specific users can access it?
In general, asking for a username and password is a bad approach for Actions, for several reasons, and asking for a URL can be quite a mess. Particularly if you're expecting the user to access the Action via voice or a device that doesn't support a keyboard.
The better approach is to use Account Linking to connect their Google Account to an account they have created on your system. If you need additional one-time configuration information, you can have them provide this information for their account via a webapp, store it in a datastore of some sort, and then access it when they contact your webhook via the Action.
There is no way to have the Assistant enforce access to a production Action. You can publish an Alpha release to up to 20 accounts, but this is still treated as a "test" version.
I'm using adjust and firebase in my ionic app but the app secrets for these integrations and others all show up in my app's js code if I extract the APK/IPA.
How do I keep credentials secure and package them with the app's APK/IPA for such hybrid apps?
This is an interesting question and it's good that you are asking it :)
For the Firebase settings, they are secret, but not secret-secret. They are just a starting point. Nothing can be done with those unless the user also logs in with their password which is hashed using the secret key and then sent over.
This proves that the person knows enough to identify themselves as a user.
Then on the server side, you have your rules that say "for the person that has identified themselves as user X they have permission to do Y"
If somebody has got your password then you are exposed just the same as you are always exposed.
You can also restrict your Firebase account by apps package id, hostname, IP address, in the Google Cloud admin panels.
As for your other things, like Adjust, they have their own solutions along the same lines. Either the API key is just enough for you to read the information, or if its a powerful level of access then normally there is some kind of authentication/account linking process so you can prove yourself to the other API.
If not, then you cannot just put it out there, you need to create your own proxy. Firebase supports cloud functions (aka serverless) so you can run snippets of code which are only accessible by users that have logged in, and then return that information back to the client as a proxy.
I am working on a news media website, and I am looking to add feature to allow users to register, login and make comments.
For example (New York Times login/register screen)
May I know what options are available, what are the common approaches publishers would choose ?
So far I have been looking at:
AWS Cognito: Allows to create own user directory, and authenticate.
Disquss SSO: also implemented commenting.
In house development: Code a new microservice to manage user directory and store/serve comments, alternatively using AWS Lambda. I am very keen to go down that path, example, but this might costs a lot to develop + maintain.
User data security is my top consideration, I would prefer to use a separate system to store user data. Either a robust third party service or complete in house development of a new system.
Any suggestions?
Thank you.
These are web-standards for single sign on:
OpenID
OpenID Connect
Companies like Google and Facebook provide authentication using Google-/Facebook-accounts. As far as I know, Google uses OpenID Connect which is based on OAuth. However, I don't know if you don't have to store user data any more at all when using this.
I believe it's worth checking again if authentication and commenting should be combined, especially when using a third-party-solution. It makes it harder to change one of the two.
This could give you some more ideas: https://en.m.wikipedia.org/wiki/List_of_single_sign-on_implementations.
I am developing a iOS app, that will require the users to log in with third-party SNS account, like facebook, or twitter. However, I want to allocate "native" user id for each users for the benefits of future use.
For example, since each FB user is assigned an unique ID, say, 12345678, when this user log in with his/her FB account, I can get this FB id via FB's iOS api, then I can simply add a prefix "FB" to this id, stored a local text file with "FB12345678" as content in the i-device.
Then next time the app launches, it simply check the existence of this text file, and if not, pop out a view to require users to login, otherwise just use the content, like "FB12345678" as keyword to fetch data from my server.
Above is my own thinking. But I think there are some severe problems:
first, is it safe to store a string locally without encryption?
Second, if I use, say in the example, "FB12345678" to fetch data, is it safe to transmit via the Internet?
Chances are this " FB12345678" can be easily intercepted, and used to forge the identity of a user.
Lastly, if the user changes his/her FB password, I think my app should require the user to re-authenticate, but from the above strategy, obviously it does not work out.
So could anyone elaborate what is the most commonly used strategy, or algorithm, to enable thirdparty SNS account login? (like Instagram, Parse, etc.)
you can use the SDKs Provided by different Social Medias. It will maintain the session at your side. It is not proper to save userid on application side and other thing is that in almost all the medias you will require to send the access token and secret to request a data. and the Token Changes so its not good to save it. You can send it with your request and if it will be expired it will automatically ask you for the second time login.
please visit:
www.developers.facebook.com //for facebook
www.dev.twitter.com // for twitter
Try following links:
https://github.com/fhsjaagshs/FHSTwitterEngine
https://github.com/nov/fb_graph
hope this will help you.