I want to integrate Firebase cloud messaging with Android. I have created my account on Firebase and integrated with the app and have sent a message from Firebase console. The app received the message. So far, things like this seem working.
My question is that how can I connect Firebase with my own database server, which is consisting of MongoDB, to check for the data of users against to whom a notification is to be sent? Can some one guide me please?
There are quite a number of steps, it is probably too long to post here, but since you just asked for guidance, I'll try to run through the steps involved.
Your Android app will need to send its FCM token the server running your MongoDB instance. Referencing this FCM documentation page, you'll need to implement sendRegistrationToServer(refreshedToken); in the onTokenRefresh() method.
Your server will need to be listening for clients sending their FCM token. This could be an HTTP endpoint listening for POST requests with a client token and username. It can then store the details in your database. (Remember to use HTTPS where possible.)
Enable the Cloud Messaging API: https://console.developers.google.com/apis/api/fcm.googleapis.com/overview?project=insert-project-id-here
You can send FCM messages from the server running MongoDB using the Firebase HTTP v1 API, but first you'll need to authorize your server to do so. Instructions here. You will get an authorisation token that needs to be included in the HTTP header of all API requests.
Once you have a valid token you can send an HTTP POST request to https://fcm.googleapis.com/v1/{parent=projects/*}/messages:send, where the body contains details of the message. This page contains a description of the API endpoint. This page contains a description of the message body to send.
As a brief (currently untested) example of a POST request. If you're project id was fcm-test-12345, you would make a POST request to:
https://fcm.googleapis.com/v1/projects/fcm-test-12345/messages:send
The header should contain:
Authorization: Bearer <your access token>
Content-Type: application/json
And the body would be something like this:
{
"message": {
"data": { "key": "value" }, // optional data to send to client.
"notification": {
"title": "Notification title",
"body": "Notification body"
},
"token": "<client device token from MongoDB>"
}
}
Related
I want to send emails with java and smtp using OAuth2 access_token
I am able to do it if I use OAuth2 type that prompts the user with a browser to allow access.
Now I want to use a google service account and send a jwt json file to get the access token
As documented here
https://developers.google.com/identity/protocols/oauth2/service-account
I get a response back from the token url (https://oauth2.googleapis.com/token) that has a access_token, but it does not return a scope attribute and also has a ton of trailing periods
When I use it to call the smtp it responds with a 400 error
My Question is does gmail api work with jwt tokens?
Do I need to also have a Google Workspace Account or can I just use a normal Gmail Account?
EDIT FOLLOW UP:
I called the token validator url and got this back
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=xxx
validateAccessToken response: {
"issued_to": "xxx",
"audience": "xxx",
"scope": "https://mail.google.com/",
"expires_in": 3599,
"access_type": "online"
}
Not sure if it is the issue but access_type = "online" instead of offline like when I do it with 3 leg auth that requires user approval for access. Doing the JWT way I do not see anywhere to define access_type when requesting token
I'm currently working on a small project where I need to create login and register functionalities for a web application. A colleague of mine had the opinion, that a login request should be done with a post request where the user credentials are stored in the body of the request. I was used to do login requests with a Get-Request where the login credentials are stored in the authentication header (e.g. with Basic-Authentication). So I've read some threads and most of them say, that a POST-Request is better than a GET-Request for login. But also some threads said, that it is better to store user credentials in a request header instead of the body. In case the credentials are stored in the header I don't understand why a GET-Request should be better than a POST-Request.
So I was wondering what you think. What are the benefits/disadvantages of Login with POST-Request and User Credentials stored in the Request-Body compared to storing them in the header via Base-Authentication (encrypted with Base64).
Thanks for any opinions.
A POST is preferable for login request, because the authentication information will be sent in the HTTP messages body rather than the URL. Although it will still be sent plain text, unless you're encrypting via HTTPS.
GET method data is sent to the server followed by the URL which will be seen to everyone.
Both GET and POST method are used to transfer data from client to server in HTTP protocol but main difference between POST and GET method is that GET carries request parameter appended in URL string, while POST carries request parameter in message body which makes it more secure way of transferring data from client to server in HTTP protocol.
I'm creating an app in which you are supposed to signup/login to use it. Now I'm implementing a restful webservice for it and I'm not sure whether I'm going the right way. My workflow is:
To signup, the user types in his credentials like username, email and password. The app hashes the password and sends a post request containing the credentials as json to my webservice and the webservice saves the new user to the database.
To login into the system, the app sends a get request including the parameters username and hash of the password to the webservice, compares the hash values and returns an appropriate response code for success oder fail.
The communication between app and webservice is secured by ssl.
Is this the right and secure workflow of a signup/login system? If not, why is it not secure and can you recommend another workflow? Cheers.
The most important part should be that your web service is only reachable via https.
I assume you are talking about a mobile app.
The app should not hash the password, the web service should do it and then store the user.
Mobile apps can be reverse engineered and then you know how to hash your passwords.
So to create a user in a restful way would be to send a POST request with username, email and password in the body.
For example POST /users
{
"username": "john-doe",
"email": "mail#example.org",
"password": "some password"
}
For authentication/authorization you might consider OAuth 2 but that takes a huge amount of time to implement.
Another option would be to have another REST resource called access-tokens.
So whenever you need to authenticate you do a POST /access-tokens request to create an access token.
POST /access-tokens
{
"username": "john-doe",
"password": "some password"
}
Response
{
"access_token": "9d91c97fc0f98a6311f101246e252ab3230c261c2af",
"expries_in": 3600
}
Then the mobile app needs to take care of that it will always create a new access token shortly before it expires. OAuth 2 has also refresh tokens for this purpose which are delivered together with the access token. Then you can retrieve a new access token just by sending the refresh token to the web service.
Once authenticated you need to include the access token in the Authorization header in every request to the web service that needs authentication.
I would like to implement the Streamlined Identity Flow base on this documentation:
https://developers.google.com/actions/identity/oauth2-assertion-flow
I created my server (Node.js + node-oauth2-server) and successfully tested with OAuth 2.0 Playground.
Authorization code flow implemented, account linking enabled.
According to the documentation: "When Google needs to access your service's resources, and the user is signed in to their Google Account, Google sends a signed JWT with information about the user to your token exchange endpoint.".
The expected request is:
POST /token HTTP/1.1
Host: oauth2.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&intent=ACTION&assertion=JWT&consent_code=CONSENT
The problem is that there is no such request, the token endpoint get called with grant_type=authorization_code without any JWT information.
I tried the Google Account Linking Demo and the Action simulator, same results.
Why is the JWT grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer request is missing? What should be changed in order to receive such requests?
I encountered the same problem. In my case, every time I validated the "Quick account linking" I had an error during the tests with the simulator. And as a result, the 'seamless account linking' was not engaged.
It was enough that I fill the field: Link to Terms of Service 'in App information for the simulator to start test without error.
I saw then arrive the screen described in the doc "Exchange JWT assertions for tokens" which allows to select a google account
then google sent to my OAuth2 server a request with grant_type = urn: ietf: params: oauth: grant-type: jwt-bearer
and I saw the arrival of the famous JSON Web Token (JWT)
(For the test authentication, you have to use https://gala-demo.appspot.com/ with the name of the project with _dev).
In my case, now, seeamless account linking works well.
I hope It can help.
In a project I am using Authentication multiple times for different providers, so I am relying on standard libraries.
I want to establish connection with Facebook yet it provides not completely standard authorization.
To test the connection I am using REST Console in Authorization part of it I place a key and secret and for
Authorize URL I provide https://graph.facebook.com/oauth/authorize
Access token URL - https://graph.facebook.com/oauth/access_token
Request token URL I leave empty or fill it with https://graph.facebook.com/
And what I get bck looks like this:
{
"error": {
"message": "Expected 1 '.' in the input between the postcard and the payload",
"type": "OAuthException",
"code": 1
}
}
So my question is how to get authenticated forming standard OAuth calls?
EDIT
For the moment (testing stage) I found that data can be retrieved using no standard authentication but access_token with appropriate values. Yet sending http request with api key and secret exposed in the request url can not be the right way of ding it.