is there any limits on firebase Authentication with google sign in. if yes how many gmail's can i authenticate per day
There is no documented limit to how many people can sign in to Firebase with Google sign-in credentials. While there may be a limit to protect against abuse, it is not something you should usually worry about.
Btw: Google sign-in credentials are not limited to gmail users, as you can create a Google account based on any email address.
Related
I am creating an app to extract user's emails once they arrive at the uesr' Gmail account (automatically).
After reading Gmail API, I conclude that each extraction (of a Gmail) would require a user authorization through the Oauth 2.0 flow.
I am wondering if there is a way to extract an (G)email by providing an api_key (each gmail account would have its own api_key, obtained by gmail account user registering the app with Google)? The key is to extract (g)email without requiring manual authorizations by gmail account owners.
After looking into the issue carefully, I have drawn a conclusion that Gmail (Hotmail, Yahoo mail are the same) does not support api_key authentication method for email accesses,
i.e. each time before an app accesses a gmail count, manual authentication is needed.
For authenticating end users to things like IoT services, many cloud services have a custom option: The client authenticates with the dev's own server (however the dev implements that), which in turn gets a token from the cloud service and sends that to the client for authentication with the cloud service. Amazon and Twilio are examples of this. This allows for a fully customizable auth.
If I understand correctly, Google Cloud Platform requires end users to authenticate with Google's OAuth2 service, meaning they must sign in with a Google account. I don't see any way around this, but the limitation is so severe that I wonder if I'm missing something. Is there some way I can instead authenticate users my own way?
meaning they must sign in with a Google account
That's not entirely correct, you probably overlooked this in the very doc you referenced (emphasis mine):
Firebase Authentication gives you a robust, secure authentication
system-in-a-box that helps you do sign in with any account your
users want to use. Firebase Authentication supports password
authentication in addition to federated sign in with Google, Facebook,
Twitter, and more, allowing you to easily scale your authentication
system as you grow on desktop and mobile.
So you can have your users choose their username and password or login using one of their supported 3rd party non-Google accounts.
But it will still be Google handling the authentication for you, which is good if you plan to use other GCP products/services as the authentication can be propaged.
If you want to handle the authentication yourself - nothing stops you from doing that, but it may be difficult/impossible to integrate it with other GCP products/services. The Plain OAuth 2.0 might be what you're looking for (I don't understand it enough), search for it in the Compare Auth Options guide.
I need to build a custom auth system with and i don't know what to choose between Firebase Auth and Google OAuth/OpenID.
I don't want my users to sign in through google accounts nor facebook nor twitter etc.
I want to use my own user database to authenticate my users.
So what is the best and more secure, reliable,scalable option to setup this ?
Thanks
If you have an existing list of user credentials (e.g. Active Directory, LDAP or a database with user names and passwords) you can authenticate those users yourself and then tell Firebase about them with Custom Authentication tokens.
Using Google authentication makes no sense in that case, since the credentials you have are not for Google accounts.
I have a website where users can sign in with Google login. I would like to force some of them (who wish to better protect their account on my website) to sign-in with 2-step login even they haven't activated it for Gmail.
You cannot force 2-step verification and cannot sign the user out of Google, forcing them to sign back in using 2-step, using the Google+ API or Identity platform.
Should I use oAuth, for example LinkedIn or Twitter, as my signin mechanism for my app? It seems that most apps just use oAuth to connect other services to it, but they make you set up your own user/password after you use oAuth (including StackOverflow), and I'm not really sure why this is. Would love some insight here. Thank you.
Why not use OpenId, to allow people to sign into your application, without having to type any specific login/password ?
Quoting the corresponding wikipedia entry :
OpenID is an open, decentralized
standard for authenticating users
which can be used for access control,
allowing users to log on to different
services with the same digital
identity where these services trust
the authentication body. OpenID
replaces the common log on process
that uses a login-name and a password,
...
BTW, that's exactly how one logs-in on stackoverflow ;-)
OAuth purpose is not authenticating your users with your site, is letting your users allow you (the oauth consumer) access to their protected resources in other sites (oauth providers) like LinkedIn, Twitter, Google APIs etc.
For authentication, you should use OpenId as others have pointed
Twitter provides a Sign in with Twitter flow that is OAuth but provides a faster redirect if it is an existing user of your service and they are already authenticated with Twitter.
http://apiwiki.twitter.com/Sign-in-with-Twitter
If you are building a Twitter centric application this makes a lot of since to use and you won't have to implement an entire alternate authentication method like OpenID.
Be careful if you let users authenticate with both Twitter and LinkedIn as users will inadvertently create two accounts and need them to be merged.
Facebook and Twitter both have the "Login with Facebook/Twitter" APIs to actually allow users to login without having to create an account for your website. Both of them will return you a valid session that may (or may not) expire. So you actually wouldn't have to ask users to decide on a username/password, as you can fetch both from the APIs (you can not get the users email address when using Twitter though)
So why add those functions to your website?
Users are in general more likely to hit the "Login with ..." button than going through the whole mail address authorization process and entering their name, etc...
Linkedin only has OAuth for usage to its API. It will also depend on what type of language you are writing your webapp in, they should have premade wrapper libraries you could tap on to.