I'm a bit confused on how I can implement a user system into my application.
For a small overview, the mobile application needs to allow users to login or register, follow other users, and favorite/like items.
I've checkout out the documentation on Google Cloud Platform for implementing User Auth:
https://developers.google.com/identity/protocols/OpenIDConnect
https://cloud.google.com/appengine/docs/standard/java/users/
https://cloud.google.com/appengine/docs/standard/java/oauth/
I've used Parse in the past, and would expect the Firebase User Auth system to offer a similar experience, however due to Firebase conflicts with App Engine, that route is a no-go.
I understand there is also the User API, which can be used for things like restricting Cloud Endpoints calls to logged in users.
How can I roll a user auth system for my application? The best solution that comes to mind would be to just store user emails and passwords in Google Cloud Datastore, and check if the combination exists when a user logs in. However, I'm fairly unfamiliar with creating user systems and this seems like it would come with some sort of security issues.
you can use Firebase Authentication with Google App Engine. Your information that you have to use manual scaling instance is not correct. This was a bug and were fixed. Please see the following post for more informations
Verify Firebase Token at Google App Engine
Related
I have wrote a simple web application with few tables. It has it's administration area where you can manage it's table. Basic CRUD operations.
However, I need to develop an Android application which will retrieve information from this web application trough API. So I am going to write a simple API methods for fetching data. Also there will be sometimes when Android user will save some of its data to database.
Android application needs to be able to list items stored in database and bookmark some of those items over HTTP.
To me problem is how to implement SingIn / SignOut operations using Android's Google account. For example, application GMail is always signed in (at least on my device) and I want my application to be always signed in.
Then, how can I manage what items user bookmarked? Should I create a table android_bookmarked_items (android_user_id, item_id)? But then what should be android_user_id? Do I need to use OAuth?
I am doing this kind off sign in for the first time and I am really confused how to connect this web application with android user and manage bookmarked items per user...
You can make use of Android AccountManager. Check out How to get the Android device's primary e-mail address
I think i have found solution by using Google Sign-In for Android. I get idToken for currently login user before each POST request and verify it on server side. Also from the token I get property sub which is user id and store this in my database...
Auth with a backend server
However, I am pretty new to this stuff, tokens and authentication using google, I would like for someone more experinced to confirm that my solution is fine and secure...
I'm a beginner learning android app development.
I have a requirement for a user to be able to Read messages (just the body content - text only) from a Gmail account (Read-only mail extraction?) and save the email content within the app.
I don't need to retrieve messages when the user is not actively using the app.
The app and SQLite database I am building sits on the phones internal local storage. I do not have a backend server.
I have looked at the Gmail API tutorial here: https://developers.google.com/gmail/api/guides/
As I understand, I need to use the Gmail API and ensure that a user of my app can authenticate as a Gmail user.
Is anyone able to advise:
1) if this is feasible to do without a back end server?
2) any tutorials as to how to approach this, or would you recommend just working through the material I listed above?
3) (I understand this is highly subjective) how substantial a task this is to undertake for a learner (This is an educational project, so I am limited by time - if it takes me more than 3-4 days I will run out of time!) An idea as to how long it might take someone who is experienced would help me to grasp the scale of the task.
Google uses Oauth2 to authenticate and track applications connected with a user's account. You will need to get a security key for app from google. Because you do not have server, you will want to get a client only key and not the service key. You can get the client key by going to the Google API Console. For help about how to let the user sign-in to their account you can look at this Android tutorials here. After you get the google sign-in working you can continue on to getting the Gmail messages.
It may seem like a complicated process, but you should be able to have in working in a short amount of time if you go through the tutorials on Google's developer's site. I got a similar app working in only about an hour. To add a nice user interface will take longer, but thats up to you.
Background
I believe the recommended way to access Google services from Android is to use the Google APIs Client Library for Java (for some services play services is recommeneded too).
If you want to access your user's account, you use oauth2 to authenticate the user, but things seem less clear if you want to access your own services (eg. I want to access Google Cloud Storage belonging to my app engine project).
The problem with service accounts
What I see a lot of here is using service accounts, and I've used them server-side and found them to be a comparatively simple solution, but this requires you to deploy your private key so I don't think this could be right for public Android apps.
The solution: Public API access
If you go to the 'credentials' page of the cloud console:
https://console.developers.google.com/project/[your_project]/apiui/credential
it seems pretty clear that they expect you to use a 'public API access key' for the situation I'm describing. It appears that this is not OAUTH based.
I assume that I will still use the type 'GoogleCredential' for this, but in the documentation for the credential builder I don't see how to do this. The set client functions appear to relate to the oauth2 access (which uses client ID/secret).
The Question
How do I use the 'public API access' key to access Google services from an Android app.
Or, if I'm wrong about service accounts - and they really are the recommended solution, then please show me some evidence of this because it certainly apppears to me that they are not the right solution for publicly distributed apps.
The good news is that it's very much easier. You can either use a Service Account (ie. a brand new account dedicated to your app) or a regular account.
For a service account you embed the key in your app, for a regular account you embed a refresh token in your app. In both cases, be aware of the security risk and use the minimal scope necessary.
You can get a refresh token without writing any code by following the steps in How do I authorise an app (web or installed) without user intervention? (canonical ?)
I've written a simple login system with Google App Engine, and I want to make sure that an admin (with access to the whole admin dashboard) can't see the passwords that users are submitting. Specifically, my concern is with the logs. Is using POST's (as opposed to GET's, which are bad for obvious reasons) enough to keep parameters like passwords out of the logs? If not, how do I do that?
Thanks
First of all, you have to make sure that this not very trustworthy individual has a role of a "viewer" in your app. A user with a role of developer or owner can see anything he wants. For example, he can upload a new version of the app (which may not be even related to your app) that will load all passwords from the Datastore and email them somewhere. Or this app will ask users for a password and send it somewhere.
Second, unless you add code specifically for logging passwords (or any other POST parameters), App Engine logs will not contain this information.
You may find this article interesting: Demystifying the App Engine request logs
Hi I am developing an Android App where I require a user to authenticate his session before using the app. One way is to store a user name and password by asking him to register on the app and then use that to authenticate him. But i was looking to do something else, maybe use an OpenId account to authenticate or Opensoial or something like Facebook Connect. Any Suggestions and comments? thanks for you help.
First, please do not whine about not getting answers after only an hour, particularly when it's Sunday in much of the world. If you want responses in less than an hour on a weekend, hire an expensive consultant.
Hi I am developing an Android App
where I require a user to authenticate
his session before using the app.
Why?
Any Suggestions and comments?
Most Android applications do not require authentication for local use. They may require authentication for access to online content (e.g., Web service), in which case the authentication is handled by the Web service and uses technology dictated by the Web service.
Bear in mind that any online authentication process (e.g., OAuth, Facebook Connect) means your application cannot be used in offline mode.
If your goal is to use authentication as some means of helping to combat piracy, you might consider using the new LVL system that Google released this week.