The application I'm creating is supposed to allow client to send some feedback to server, so I make a simple httprequest with my feedback and other information in it, but I wanna make sure that request can only come my application, the rest should be rejected. So what are my choices?
Thank you for your helpful directions in advance.
P.s: I'm not asking for code, just the best practice.
I have looked for the same thing and what is possible is to force the app users to sign in with their Google account and then you can get verification via tokens that the call came from your app as described here:https://developers.google.com/identity/sign-in/android/backend-auth
That there isn't an option without having users sign in is disappointing.
Related
I have an app that provides initial login (authentication) with facebook or twitter.
I would like to add WeChat authentication.
App isn't on the stores yet.
Does anyone have any experience on this kind of authentication?
What are the steps to achieve it?
I'm so confused by wechat documentation because seems have two versions:
one used to send messages;
another one, seems, that grants authenticated API (chinese documentation only?);
I think that a guide on SO is missing and can help a lot of people considering that documentation is not too clear.
Problem is that I cannot register my app:
if I use 'developers.wechat.com' I can't create app because of this bug.
if I use 'https://open.weixin.qq.com/' I can't create my account because a chinese phone number is required.
So?
So, my issue is that I can't find any information about how SMF (2.0.x) login requests work. I want to have a third party application which would do a test login to make sure the username and password are connected to an user account, so it can then be used with other features of the app. The app is a LibGDX app, which is for PC use. However I do not know how to do a login request to SMF and I dont know what it sends back either. If you know any documentation or know something yourself, please let me know!
I was able to figure out this by using this tutorial: http://www.mkyong.com/java/how-to-automate-login-a-website-java-example
I spent a lot of time looking for any clarifications about using oAuth with FB and Twitter.
I have to do application which will be using access_token. This token will be used also on diffrent devices to access user account via API.
When I'm looking for "how to use access_token" I only finding "how to get token".
If I something miss reading documentation please let me know, especially where is example - how to use this token on other devices to access API to send eg. post.
I have found Twiiter4j and Facebook4j these libs helped me... I've got this access_token and now what next, how connect to API... I know that it's no possible to get access to Twiiter API - ok, but what about FB and "client side"
please help.
Oauth can be complicated so let me try to explain it simply.
User visits your website
Your website checks if it has seen this visitor before (usually with a cookie)
If not, send them to FB/Twitter/Whatever's oauth url. In that redirect, we tell FB/Twitter/Whatever that we're going to need x,y,z permissions (access a users timeline, see a users friends, etc). We also tell FB/Twitter/Whatever that when the user says ok, send them back to www.myurl... Finally, we take everything in this request and "encrypt" it, to prove it's really our site asking. The key to this is only saved on our backend, so the frontend (javascript/html) never sees it.
FB/Twitter/Whatever sees the request. They also see the "encryped" form of the requests. Fb/Twitter/Whatever knows this key too (they gave it to us, it's usually called the "secret" when you're configuring your oauth) They can verify it's really your backend asking for permission.
If the user agrees, we get a token. We store that token (on our backend, php, java, ruby, etc) and remember it belongs to that user.
The main thing to stress here is that in order to do the oauth handshake, you need a secret key that you never output to the browser. That means you'll need to implement part of this on your backend. You've tagged this with java so maybe that means you're using java as your backend, maybe with Google app engine or something. You'll need to find the oauth library for that, and work it out from there.
You can't create the oauth handshake only with frontend code.
if this is a duplicate, sorry i tried looking though
ive read the docs at google about authentication options for app engine
if im using just simple POST 'protocol' between android and gae,
i can obviously authenticate my POST's to make sure they came from 'account holders'
but what stops someone signing up, logging in or sending posts outside my app ?
is there some seed/signature in my android app that 'says', "hey this is communication coming specifically from my android app" ?
thanks
There is not real way to stop someone from impersonating your client, almost every digital method that you can think of cab be replicated to other digital device.
The question that you need to ask yourself is why do you care that the client is not a "real" client.
I am trying to login my Android users with their Google accounts. I managed to get auth token from AccountManager. I also found some info that I need to use Google App Engine (so I did). I wrote some code (it is not the issue) and I have two questions. Maybe someone can help me.
I was following this tutorial. I understand most of it. But should I write any server-side scripts? This tutorial doesn't mention any. Also according to this tutorial I should get code 302 response, which I get. Does it mean that authentication was positive? Or maybe now I have to do something?
I am getting auth cookie (I think it is auth cookie) which contains very long value (I think over 500 symbols), expiration date and name. How should I use this cookie? Or maybe I don't have to use it? How can I use it to get user google account username? (I think there is that kind of value, different from email address)
Anyone can help?
Thanks in advance.
You don't need to write any server side scripts, all the server side stuff is already on every Google App Engine App.
You need to pass the cookie when doing a request into App Engine.