Hi I am developing an Android App where I require a user to authenticate his session before using the app. One way is to store a user name and password by asking him to register on the app and then use that to authenticate him. But i was looking to do something else, maybe use an OpenId account to authenticate or Opensoial or something like Facebook Connect. Any Suggestions and comments? thanks for you help.
First, please do not whine about not getting answers after only an hour, particularly when it's Sunday in much of the world. If you want responses in less than an hour on a weekend, hire an expensive consultant.
Hi I am developing an Android App
where I require a user to authenticate
his session before using the app.
Why?
Any Suggestions and comments?
Most Android applications do not require authentication for local use. They may require authentication for access to online content (e.g., Web service), in which case the authentication is handled by the Web service and uses technology dictated by the Web service.
Bear in mind that any online authentication process (e.g., OAuth, Facebook Connect) means your application cannot be used in offline mode.
If your goal is to use authentication as some means of helping to combat piracy, you might consider using the new LVL system that Google released this week.
Related
I'm a beginner learning android app development.
I have a requirement for a user to be able to Read messages (just the body content - text only) from a Gmail account (Read-only mail extraction?) and save the email content within the app.
I don't need to retrieve messages when the user is not actively using the app.
The app and SQLite database I am building sits on the phones internal local storage. I do not have a backend server.
I have looked at the Gmail API tutorial here: https://developers.google.com/gmail/api/guides/
As I understand, I need to use the Gmail API and ensure that a user of my app can authenticate as a Gmail user.
Is anyone able to advise:
1) if this is feasible to do without a back end server?
2) any tutorials as to how to approach this, or would you recommend just working through the material I listed above?
3) (I understand this is highly subjective) how substantial a task this is to undertake for a learner (This is an educational project, so I am limited by time - if it takes me more than 3-4 days I will run out of time!) An idea as to how long it might take someone who is experienced would help me to grasp the scale of the task.
Google uses Oauth2 to authenticate and track applications connected with a user's account. You will need to get a security key for app from google. Because you do not have server, you will want to get a client only key and not the service key. You can get the client key by going to the Google API Console. For help about how to let the user sign-in to their account you can look at this Android tutorials here. After you get the google sign-in working you can continue on to getting the Gmail messages.
It may seem like a complicated process, but you should be able to have in working in a short amount of time if you go through the tutorials on Google's developer's site. I got a similar app working in only about an hour. To add a nice user interface will take longer, but thats up to you.
Background
I believe the recommended way to access Google services from Android is to use the Google APIs Client Library for Java (for some services play services is recommeneded too).
If you want to access your user's account, you use oauth2 to authenticate the user, but things seem less clear if you want to access your own services (eg. I want to access Google Cloud Storage belonging to my app engine project).
The problem with service accounts
What I see a lot of here is using service accounts, and I've used them server-side and found them to be a comparatively simple solution, but this requires you to deploy your private key so I don't think this could be right for public Android apps.
The solution: Public API access
If you go to the 'credentials' page of the cloud console:
https://console.developers.google.com/project/[your_project]/apiui/credential
it seems pretty clear that they expect you to use a 'public API access key' for the situation I'm describing. It appears that this is not OAUTH based.
I assume that I will still use the type 'GoogleCredential' for this, but in the documentation for the credential builder I don't see how to do this. The set client functions appear to relate to the oauth2 access (which uses client ID/secret).
The Question
How do I use the 'public API access' key to access Google services from an Android app.
Or, if I'm wrong about service accounts - and they really are the recommended solution, then please show me some evidence of this because it certainly apppears to me that they are not the right solution for publicly distributed apps.
The good news is that it's very much easier. You can either use a Service Account (ie. a brand new account dedicated to your app) or a regular account.
For a service account you embed the key in your app, for a regular account you embed a refresh token in your app. In both cases, be aware of the security risk and use the minimal scope necessary.
You can get a refresh token without writing any code by following the steps in How do I authorise an app (web or installed) without user intervention? (canonical ?)
Using an (Linux, not Android, based) embedded device, I attempt to access data on a Google Drive. Following the guidance of "Using OAuth 2.0 for Installed Applications", this almost works. The remaining problem is that the renewal token itself expires after 6 month. It is my understanding that since this is an embedded device, there's no user present to ask to provide consent, hence no way to get a new authorization code and consequently no way to get a new renewal token.
I just learned that for google accounts using two-factor authentication, one can obtain application specific "App passwords", which (I believe) don't expire. I haven't seen much in terms of documentation of such though (other than how to acquire them). How would I use them in my application? Can I use such an password to instantiate a com.google.api.client.auth.oauth2.Credential?
Hey all, i want to integrate my Blackberry App with Twitter, and found that the way to do it is with OAuth. The problem I have is that i would like to do the verification of this from my server as to put less strain on the device, but I have no idea how to get the OAuth PIN from the server to be displayed on the device so the user can enter it, any ideas as to how i can do this? or an alternative ?
You can't. OAuth was designed such that only the service provider can provide authentication (so that the developers don't have to store their client passwords on their database servers and if the client changes their passwords, then it would have to be managed also on the developers side too). There is only one source of authentication and that's from the service provider (Twitter, in this case). Sharing of passwords is therefore eliminated.
OAuth doesn't work on PINs but rather using Request/Access Token. Follow the Beginners' Guide to OAuth and Twitter Developer's Auth Page to see how you can incorporate OAuth to Twitter. Just to give you an heads up, you will have to register your application to Twitter.
Update For Mobile and Desktop applications, rather go through Twitter's xAuth. Here's a documentation on how to register and use your application to use xAuth.
Twitter OAuth FAQ.
Is it possible to use a Facebook session in a Flash to authenticate on Google App Engine? I'm trying to create a Flash game and I want to use GAE as the back-end.
I'm not totally sure I understand the question but I think you mean that you have a Facebook session running in Flash but you also want to be able to connect to your back end on GAE and have it interface with the FB REST API.
If so, then yes. You simply create a URL for your GAE application that includes the FB authorization tokens (fb_sig*) and it should be able to re-use those to communicate with the Facebook API.
One caveat, though, is that the tokens may expire. If you run across that problem then you'll simply need to re-auth with Facebook in the Flash and re-send the tokens to your GAE request.