I'm trying to add some key-value pairs to custom claims but can't find any function for this. How do you do it on Android?
For example, I am able to set the Display Photo this way:
FirebaseUser user = ...;
UserProfileChangeRequest profileUpdates = new UserProfileChangeRequest.Builder()
.setPhotoUri(Uri.parse(response.body().getPhotoURI()))
.build();
user.updateProfile(profileUpdates).addOnCompleteListener(task -> { ... });
Client SDK its a risk as malicious clients can also modify the data. May be claims can be added in console now which i am not certain. And that might be something that's what your looking for. From Controlling Data Access Using Firebase Auth Custom Claims:
It might sound like a good idea to add all sorts of criteria as custom claims. Perhaps you want to add a home address, additional photo URLs, or a profile description, for example. But this is not what custom claims are designed for. Data like addresses should be stored in a database, since it’s not related to authentication. Tokens are not profiles!
And from Set and validate custom user claims via the Admin SDK:
Custom claims can contain sensitive data, therefore they should only be set from a privileged server environment by the Firebase Admin SDK.
// Set admin privilege on the user corresponding to uid.
Map<String, Object> claims = new HashMap<>();
claims.put("admin", true);
FirebaseAuth.getInstance().setCustomUserClaims(uid, claims);
The new custom claims will propagate to the user's ID token the
next time a new one is issued.
And Using It:
// Verify the ID token first.
FirebaseToken decoded = FirebaseAuth.getInstance().verifyIdToken(idToken);
if (Boolean.TRUE.equals(decoded.getClaims().get("admin"))) {
// Allow access to requested admin resource.
}
OR As Client:
// Lookup the user associated with the specified uid.
UserRecord user = FirebaseAuth.getInstance().getUser(uid);
boolean claim = Boolean.parseBoolean(user.getCustomClaims().get("admin"));
You might want to read this: Firebase Custom Claim Java
It's not possible to set custom claims directly in the client app. That would be considered a security problem. Custom claims is a flexible security mechanism that allows you to grant the user access to backend resources. If users could grant themselves custom claims, then they would be an ineffective method of securing resources.
You should use the Firebase Admin SDK to assign custom claims on a backend you control, and make sure that the claims only are granted for users in the specific situations that you allow - users should not be able to assign themselves custom claims.
Related
Im trying to make a Java Application in which a user can login in to his Activer Directory and update his account info like phonenumber or display name, password, etc.
im able to authenticate the user but however i cant seem to find anything on updating the data. can anyone guide me through this?
Thank You.
On work around you can use the Microsoft Graph Rest API to update the user.
Not all properties can be updated by Member or Guest users with their default permissions without Administrator roles. Compare member and guest default permissions to see properties they can manage.
Note: Your personal Microsoft account must be tied to an AAD tenant to update your profile with the User.ReadWrite delegated permission on a personal Microsoft account.
Example : Update properties of the signed-in user
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
User user = new User();
LinkedList<String> businessPhonesList = new LinkedList<String>();
businessPhonesList.add("+1 425 555 0109");
user.businessPhones = businessPhonesList;
user.officeLocation = "18/2111";
graphClient.me()
.buildRequest()
.patch(user);
For more information and examples refer this document:
Im creating an application to login in Google+ and get friends emails.
Im authenticating succesfully and get token back , but when i fetch friends list , the user class of any single friends has emails=null...
here is the code (After already signed in and get authenticator class):
// Generated libraries for Google APIs
using Google.Apis.Authentication.OAuth2;
using Google.Apis.Authentication.OAuth2.DotNetOpenAuth;
using Google.Apis.Services;
using Google.Apis.Util;
using Google.Apis.Plus.v1;
using Google.Apis.Plus.v1.Data;
// For OAuth2
using DotNetOpenAuth.Messaging;
using DotNetOpenAuth.OAuth2;
//....code for authentication skipped ....
//...callback from json (authentication success)
PlusService ps = new PlusService(new BaseClientService.Initializer()
{
Authenticator = authenticator
});
PeopleFeed peopleFeed = ps.People.List("me", PeopleResource.CollectionEnum.Visible).Fetch();
//After that when i inspect peopleFeed[0].Emails <--- this is null..
any help?
The Google+ API only returns public information. So even if you are permitted to see a person's email address, it does not necessarily mean that the information is public and that it will be returned.
Furthermore, the documentation at https://developers.google.com/+/api/latest/people/list only guarantees that the list of people returned will contain the person's
id
displayName
image
url
and that to get other information about the person, you will need to do a people.get against that ID. But, again, note that you may still not get their email if that information isn't public.
You could also use the Contacts v3 API to get friend's email addresses. You can cross map this to Google+ contacts by looking at the gContact:website element for the contact that comes back in the XML response:
<gContact:website href='http://www.google.com/profiles/1234567890' rel='profile'/>
In that element's href attribute, 1234567890 is the person identifier that would match the id field of the relevant person resource from people.list of the Google+ API.
Note that the profile link is not guaranteed to come back for a contact entry. This occurs when the contact has not been linked to a Google+ profile.
My first guess would be that it's a rights management issue. I remember when I asked for my Google API key, I had to mention what information I want to get.
Could you check your API key settings in the Google Developer network and see if you need to enable it there?
I'm sure this is basic and I'm missing something. I've read through other answers on SO, I've googled, I've read resources and I just can't wrap my head around what I need to do.
I'm trying to figure out how to write an app that connects to Twitch's API, specifically how to authenticate with Twitch's api. Their documentation is here: https://github.com/justintv/Twitch-API/blob/master/authentication.md
I've created an app and stored my keys.
Now comes the part where I want my user to click a button which launches the authentication on their website. From what I can tell I do this by using an AccountManager. Except... I can't figure out what I'm supposed to do.
Here's the excerpt I've found online:
AccountManager am = AccountManager.get(this);
Bundle options = new Bundle();
am.getAuthToken(
myAccount_, // Account retrieved using getAccountsByType()
"Manage your tasks", // Auth scope
options, // Authenticator-specific options
this, // Your activity
new OnTokenAcquired(), // Callback called when a token is successfully acquired
new Handler(new OnError())); // Callback called if an error occurs
According to twitch's documentation I want to send the user to:
https://api.twitch.tv/kraken/oauth2/authorize
?response_type=code
&client_id=[your client ID]
&redirect_uri=[your registered redirect URI]
&scope=[space separated list of scopes]
&state=[your provided unique token]
And I simply have no idea how these two things need to be combined.
Firstly, I recommend to read the OAuth2 RFC. This should cover everything you need to know.
The AccountManager code snippet won't help you much unless there already is an app that provides authentication for Twitch. If that's not the case you either need to use an existing OAuth2 library or implement your own.
You could write your own AccountAuthenticator but that's a different challenge (and you still need some kind of OAuth2 client).
Doing it yourself is not that hard, see below.
Steps to implement it yourself
Twitch recommends to use the "Implicit Grant Flow" for mobile apps. That's what I'm going to describe below.
1. Get a client ID
Register your app as outlined in Developer Setup to get a client ID
As redirect URI you can use something like https://localhost:12398/, the actual port doesn't really matter.
2. Build the authentication URL
In your client app you need to construct the authentication URL like so:
https://api.twitch.tv/kraken/oauth2/authorize?
response_type=token&
client_id=[your client ID]&
redirect_uri=[your registered redirect URI]&
scope=[space separated list of scopes]
Apparently [your client ID] should be replaced by the client ID you've received from Twitch, same goes for [your registered redirect URI] (that's the URL above, i.e. https://localhost:12398/). [space separated list of scopes] is the list of scopes (i.e. features your want to access), see Scopes. Make sure you URL-encode the parameter values properly.
Assuming your client ID is 123456 and the scopes you need are user_read and channel_read your URL would look like this:
https://api.twitch.tv/kraken/oauth2/authorize?
response_type=token&
client_id=123456&
redirect_uri=https%3A%2F%2Flocalhost%3A12398%2F&
scope=user_read%20channel_read
Note that you should also pass a state parameter, just use a randomly generated value. You can also append the (non-standard) force_verify parameter to make sure the user actually needs to log in each time (instead of continuing a previous session), but I think you can achieve the same by clearing the cookie store (given that you open the URL in a webview in the context of your app) before you open the login page.
With a random state the URL would look like this:
https://api.twitch.tv/kraken/oauth2/authorize?
response_type=token&
client_id=123456&
redirect_uri=https%3A%2F%2Flocalhost%3A12398%2F&
scope=user_read%20channel_read&
state=82hdknaizuVBfd9847guHUIhndzhuehnb
Again, make sure the state value is properly URL encoded.
3. Open the authentication URL
Ideally you just open the URL in a WebView inside of your app. In that case you need to intercept all request to load a new URL using WebViewClient.shouldOverrideUrlLoading
Once the client is redirected to your redirect URL you can close the webview and continue with step 4.
Theoretically it's possible to utilize the default browser to do the authentication, but I would have security concerns since an external app could learn about your client ID and the access token.
4. Extract the access token
The actual URL you get redirected to in step #3 will have the form:
https://[your registered redirect URI]/#access_token=[an access token]&scope=[authorized scopes]
or to pick up the example
https://localhost:12398/#access_token=xxx&scope=user_read%20channel_read
Where xxx is the actual access token.
If you passed a state it will be present like so:
https://localhost:12398/#access_token=xxx&scope=user_read%20channel_read&state=82hdknaizuVBfd9847guHUIhndzhuehnb
All you have to do now is to parse the (URL encoded) access token, scope and state. Compare the scopes and state to the ones that you actually sent. If they match you can start using the access_token to authenticate.
Note According to the OAuth2 RFC, the response URL MUST also contain a token_type and it SHOULD contain an expires_in duration in seconds.
Once you received the access token you can use it to authenticate as described here.
Access tokens issued by the Implicit Grant Flow usually expire after a certain time and the user needs to authenticate again. The Twitch documentation doesn't mention any expiration time, so it's possible that the token is valid forever. So make sure your app doesn't store it or store it in a secure way (like using Android's key store provider to generate and store a key to encrypt the access token).
If the implicitly issued access token expires you could consider using the "Authorization Code Flow". That's quite similar but it contains an additional step to receive the access token and a "refresh token" that can be used to renew the access token. I leave it up to you to figure out how that works.
My question is similar to this post:
How to get an access token without Box’s authorization page
In that post, he asks:
I have been granted access(collaborate) in a folder. What I need is to access the folder daily and fetch files from it. Right now the developer token I generate expires in 1 hour. Is there a way I can get the authorization code without the first leg, which requires a user interface. This way I can refresh the access toke whenever I fetch files.
The highest rated answer from "Skippy Ta" tells me most of what I need to know EXCEPT the following:
How do I authenticate using the developer token and how do I refresh? From the github repo for the HelloWorld sample app (https://github.com/box/box-java-sdk-v2) I downloaded, I see these two steps:
boxClient.authenticate(boxOAuthToken);
for the initial authentication, and
boxClient.addOAuthRefreshListener(new OAuthRefreshListener() {
#Override
public void onRefresh(IAuthData newAuthData) {
// TODO: Update the stored access token.
}
});
for the refresh.
I'm having trouble putting all this together. First, the authenticate method does not accept a String boxOAuthToken, it accepts an IAuthData object, whatever that is. So I cannot conduct the initial authentication.
Even if I were to achieve initial authentication, I could not refresh, because I don't know how to access the token once I'm authenticated in order to store it, and if I stored that token as a String, I don't know how to wrap it in the proper object and conduct the update alluded to by the
// TODO: Update the stored access token.
comment above. Thanks for any help you can offer.
You can take a look at the javafx login UI: https://github.com/box/box-java-sdk-v2/tree/master/BoxJavaFxOAuth
But anyway if you need to build a BoxOAuthToken object from access token and refresh token and authenticate from it, here is what you can do:
HashMap<String, String> tokenMap = new HashMap<String, String>();
tokenMap.put("access_token", access);
tokenMap.put("refresh_token", refresh);
BoxOAuthToken token = new BoxOAuthToken(tokenMap);
boxClient.authenticate(token);
As for the refresh, the sdk auto-refreshes. The only time you need to worry about it is when your app quits and you need to persist the auth. At that point you can save the oauth token out. The refresh listener is used to update the oauth token for you so at the point you need to save oauth out, you have the latest oauth data.
I'm using PayPal Express Checkout to make reference payments. Right now, the sdk loads PayPal credentials (user id, password, signature) from a resource file (sdk_config.properties) - is there any way to set the credentials (user id, password, signature) from code?
I'm not familiar with their SDK but you should be able to just update the values of those constants or whatever types of variables they're using with your own dynamic values.
Alternatively, you might want to look into the Permissions API as it sounds like you're attempting to make calls on behalf of 3rd party users..??
We have made some good improvements to the PayPal Java SDK on integration steps. We are removing the need for sdk_config.properties file as they do not work as well, specially for multi-configuration settings.
Now, all you do is create an APIContext instance with clientId, clientSecret, and mode. You pass that context object for any API operation from there on.
Here is how the code would look like:
APIContext context = new APIContext(clientId, clientSecret, "sandbox");
Payment payment = new Payment();
// Fill in all the details.
payment.create(context);
Here is the wiki page explaining that: https://github.com/paypal/PayPal-Java-SDK/wiki/Making-First-Call