I am trying to create a prototype using Firebase on AppEngine, and I keep hitting the 9-hour quota as described here: https://cloud.google.com/solutions/mobile/firebase-app-engine-android-studio#configuring_the_app_engine_backend_to_use_manual_scaling
The doc states the following:
To use Firebase with App Engine standard environment, you must use manual scaling. This is because Firebase uses background threads to listen for changes and App Engine standard environment allows long-lived background threads only on manually scaled backend instances.
I am just using Firebase Authentication and Need to verify the clients hitting my app engine endpoints which I do using Firebase Admin SDK. so does it still need to spawn threads to listen for changes? Is there a way to configure Firebase to not need these background threads, and therefore, not need manual scaling?
OR is there any other easy way to Do OAUTH custom authentication for anonymous & different social providers ?
yes you can use the Firebase Authentication without using Backend Instances. You need to use Java Admin SDK 4.0.4. then you can run an automatic scaling instance (Frontend Instance)
Please see the following post
Verify Firebase Token at Google App Engine
You do not need manual scaling to use Firebase Authentication with App Engine standard environment applications.
This tutorial is for Python, but the pattern and flow would be the same for Java. The overall flow would be similar in that you'd trigger on the client side your authorization flow, the user would choose from your allowed auth providers, Firebase would return the JWT token to your front-end script, you would send that token to your backend where you would decode it using the Firebase certificates and exchange it for your auth tokens.
From that tutorial, the client-side HTML and Javascript would be identical for you. You would just need to recreate the backend logic for Java.
Again, the automatic scaling instances would work just fine for you.
Related
I have a java (Spring boot) web service which does not have any UI.
I want to send a dynamic Email (created using Thymeleaf and injecting values from a database) using my web service on a daily Cron schedule, using Microsoft Graph and O365 APIs.
Right now I use SMTP to send emails, but I cannot use it anymore as that is no longer going to be supported by the O365 account that I am using.
I found the SendMail APIs on the Graph Documentation which looks pretty straightforward.
But, using the Graph AIPs requires you to create an Azure AD project first and use their Microsoft Identity platform - which I created.
Now, the problem is that most of the flows also require a user to manually login from a login window.
This is where things get complicated.
I do not have a place to show a Login window to any user from my web service, because it is just a backend service there is no UI. I intend to use a service account for sending the emails through the Application.
I found a Daemon support as well, but it seems to only support Python or .Net code.
Migrating my code from Java to either of those platforms just to be able to send emails
does not feel like a good solution.
And, I'm not even sure if they even offer similar capabilities of sending dynamic emails like Java+Thylemeaf do?
Is there a way to be able to continue doing this using my existing code in Java?
If not, then as the worst case scenario, are there any libraries in Python which can allow me to send dynamic emails like thymeleaf does in Java?
As you don't want to manually login from a login window, you can use the client credential flow.
Here is the guide regarding how to access graph api without user.
Reference:
msgraph-sdk-java-auth (You can choose to use Client credential provider)
I'm a bit confused on how I can implement a user system into my application.
For a small overview, the mobile application needs to allow users to login or register, follow other users, and favorite/like items.
I've checkout out the documentation on Google Cloud Platform for implementing User Auth:
https://developers.google.com/identity/protocols/OpenIDConnect
https://cloud.google.com/appengine/docs/standard/java/users/
https://cloud.google.com/appengine/docs/standard/java/oauth/
I've used Parse in the past, and would expect the Firebase User Auth system to offer a similar experience, however due to Firebase conflicts with App Engine, that route is a no-go.
I understand there is also the User API, which can be used for things like restricting Cloud Endpoints calls to logged in users.
How can I roll a user auth system for my application? The best solution that comes to mind would be to just store user emails and passwords in Google Cloud Datastore, and check if the combination exists when a user logs in. However, I'm fairly unfamiliar with creating user systems and this seems like it would come with some sort of security issues.
you can use Firebase Authentication with Google App Engine. Your information that you have to use manual scaling instance is not correct. This was a bug and were fixed. Please see the following post for more informations
Verify Firebase Token at Google App Engine
We have mobile application backend running in AWS. Backend build using Java spring front end supported for native iOS, native Android and angular js based website, it has own authentication using email id and password. Now we are planning to integrate our app authentication with our organisation Active directory which available in Azure AD.
We have outline idea about Azure portal application creation, use ADAL library to get token from azure. But we are not clear about how we can validate token at web service side. Could you please enlighten us about integration process
Unfortunately, Azure AD doesn't have great guidance on securing a web API in Java at this time. However, taking the open-source approach isn't terribly difficult in this case.
Azure AD's access tokens are JWTs, which are essentially just base64 encoded JSON strings with a signature. jwt.io has compiled a nice list of open-source libraries that can be used to validate JWTs (some libraries for generating them too, fyi). The best reference material available at this time is:
The claims listed in this token reference article where necessary (ignore the comment about id_tokens only, that's incorrect).
The OpenID Connect spec also has some good tidbits on how to validate tokens. You should also make sure to validate the scope claim, which won't be mentioned there.
This code sample shows how to take this approach, but it's in .NET. You can follow its patterns for Java.
The hardest part will be robustly fetching, caching, and refreshing the Azure AD public signing keys, making sure your app can handle key rollover. Microsoft's .NET open source library, for instance, refreshes the keys every 24 hours and refreshes them immediately any time signature validation fails. Most JWT libraries won't do that for you. The signing keys are available via Azure AD's OpenID Connect metadata endpoint,
https://login.microsoftonline.com/<tenant-or-common>/.well-known/openid-configuration
The OpenID Connect spec also has information on the format of the data available there.
I'm new to Firebase and Android programming, I have some questions regarding Firebase custom authentication.
I build an android application of social report (for broken public infrastructure) which needed simplest solution for automatic authentication. Since it is a social report app in which users shouldn't be bothered in registration process by inputing any kind of data. So I decided to use Android uuid as an identifier of user instead of email/user name/etc. I loosely implement user authentication and registration. It only need Android device uuid to register/authenticate (don't even need a password). Although, I think I've secured user data in firebase security rules well enough.
I've successfully created a custom automatic authentication/registration server with Go language which mints and store the data from the Firebase itself. These are my current workflow:
The Android client automatically sends a request to my auth server. The request data contains Android uuid and several other data. I'm going to put it in onCreate activity. So every time user opens the application up, it will request for a token.
My auth server checks whether that particular uuid is stored in my Firebase. If it is, then generate a JWT. If not, my server will automatically create a new user data entry in my Firebase and send back a new JWT.
Someway save the JWT within the client app, and use that to do data transaction with firebase.
I managed to learn the Firebase library for Android, it is great and very simple. I found a lot of Android http request libraries (two of them are retrofit and volley). Yet, I still uncertain of the best way to send the auth request from the Android client.
What is the preferred/simplest way to send custom auth request in the client app, based on the requirements and workflow I've specified above? Do I need to use http request library to simplify the code? sample/snippet of code would be very helpful. What is the best way to store and use the JWT in the client app? Is my current workflow good enough? Evaluations are much appreciated.
As a side note, this is my school final project, not a production application. So I don't mind elaborate cases like whether user is having more than one phone, or buying second phone which ought to have same uuid with the previous owner, etc. Also, please spare my weird grammar/non-idiomatic language as I'm not a native english speaker.
The easiest way with Android is to use signInWithCustomToken() on a Firebase auth object (FirebaseAuth).
Here is the reference in the docs, including sample implementation code:
https://firebase.google.com/docs/auth/android/custom-auth
Good luck with the project.
Background
I believe the recommended way to access Google services from Android is to use the Google APIs Client Library for Java (for some services play services is recommeneded too).
If you want to access your user's account, you use oauth2 to authenticate the user, but things seem less clear if you want to access your own services (eg. I want to access Google Cloud Storage belonging to my app engine project).
The problem with service accounts
What I see a lot of here is using service accounts, and I've used them server-side and found them to be a comparatively simple solution, but this requires you to deploy your private key so I don't think this could be right for public Android apps.
The solution: Public API access
If you go to the 'credentials' page of the cloud console:
https://console.developers.google.com/project/[your_project]/apiui/credential
it seems pretty clear that they expect you to use a 'public API access key' for the situation I'm describing. It appears that this is not OAUTH based.
I assume that I will still use the type 'GoogleCredential' for this, but in the documentation for the credential builder I don't see how to do this. The set client functions appear to relate to the oauth2 access (which uses client ID/secret).
The Question
How do I use the 'public API access' key to access Google services from an Android app.
Or, if I'm wrong about service accounts - and they really are the recommended solution, then please show me some evidence of this because it certainly apppears to me that they are not the right solution for publicly distributed apps.
The good news is that it's very much easier. You can either use a Service Account (ie. a brand new account dedicated to your app) or a regular account.
For a service account you embed the key in your app, for a regular account you embed a refresh token in your app. In both cases, be aware of the security risk and use the minimal scope necessary.
You can get a refresh token without writing any code by following the steps in How do I authorise an app (web or installed) without user intervention? (canonical ?)