I'm a total n00b to Firebase. Is it possible to collect the user Id and password from Firebase's authentication layer and use it to do my own authentication (against a store that's in my company's network)? If so, how do I go about doing this? Thanks in advance!
Related
I am developing a Xamarin forms application. The app is for company owners in which they can see the employee timesheets.The app can be accessed by userid and password which will authenticate via API.Iam intend to save the user credentials in app and provide a logout facility when they want.
My questions are
1. How can I securely store user credentials in xamarin forms , in which nobody should get the credentials by decompiling the app.
2. How can I securely pass the credentials via API and authenticate (I heard about base auth, OAuth) it with server.
3.If someone gets my user credentials and URL to post, but he should not get the
data.How can it be implemented?
Show me some guidance and links. Thanks in advance !
This question has nothing to do with Xamarin.Forms, it is more about general architecture and security considerations.
You should not store user credentials but an authentication token that will be returned from the API in case of a successful user authentication. This token should have a limited lifetime - depends on the business needs.
HTTPS
Since you will not store sensitive data like user login and password on the phone, the risks of someone obtaining those will be slightly minimised. In any case you could invalidate the token if a malicious behavior will be detected and force the user to change the password.
For storing the authentication token securely on the device you could use Xamarin.Essentials
Is there a line of code that bypasses the second app authentication screen where you select Allow or Deny? I would like our users to automatically be connected to the registered app.
Thanks!
No, it is not possible to bypass that step. If it were possible it would be a security hole.
Yes, is it possible, for paid networks. To be able to do this, your application should use an access token that must be authorized as verified network admin, so it could impersonate user access tokens, take a look at impersonation on Yammer documentation for more information about this.
I'm using Firebase in my iOS and web app to handle user authentication. I need to make sure a user is logged in before he can make any requests to my API. How would I accomplish such a thing with Firebase?
I'm thinking about using Kong - https://getkong.org - as a middleman for my API. Kong has a few options in relation to authenticating incoming requests - https://getkong.org/plugins. What would work with Firebase? JWT authentication? OAuth authentication? Key authentication?
Can you point me in the direction of a basic example? Or give me a basic overview of what I should be looking for?
I ended up authentication the users token server-side, like this:
https://gist.github.com/holgersindbaek/2cc55efd89517e21fbb52b4e95125003
Firebase can allow you to require that a user be logged in with a third party service, such as Google or Facebook, before they can take certain data operations. There's fairly comprehensive documentation from Firebase themselves: https://firebase.google.com/docs/auth/
I have a user provide me the organization he wants to Sync with our system. We create the hooks afterwards for each App of the Organization.
The only workaround I found is to ask for each App ID and Token or the username authentication.
How can a Webhook be authentified to have the right to get items from all Apps at the same time? (like a server-side authentication)
There are a couple of options: The best is to contact Podio support and get an increased trust level for your API key. Then app tokens can be retrieved through the API and you can fully automate hook creation.
The alternative is to create a user that's a member of all spaces which you can authenticate as using password-based authentication.
I have built my own REST API with Symfony2. To query this API, user have to authenticate himself with OAuth protocol (three legs flow).
Now, I'm going to develop the front office based on a Angularjs app and I want to use my own Rest API from angularjs. What's the best way to login users to my api from the front office and fetch a token ?
I dont want users have to authorize my own app.
Does the three legs flow is really adapted for this case ? Maybe is better to support xauth authentication with a username/password login ?
Ok after some research, it seems that the most easy way to manage login/authentication between JS client and Symfony2 backend is to use password grant type (thanks #ricoux) which allows user to get a token with an username/password, like this:
http://host.com/oauth/v2/token?grant_type=password&username=Bat&password=test&client_id=clientidkey&client_secret=clientsecretkey
With fosoauthserverbundle, you need to set allowed grant type when you create your client:
$clientManager = $this->container->get('fos_oauth_server.client_manager.default');
$client = $clientManager->createClient();
$client->setName('ApiTest');
$client->setRedirectUris(array('URL' => 'http://callbackurl.com'));
$client->setAllowedGrantTypes(array('token', 'authorization_code', 'password'));
I try to do exactly the same thing : REST API with symfony2 and a javascript client with angularjs...
As Nisam said, FOSOAuthServerBundle is the best bundle to integrate OAuth2 authorization server in your symfony2 app.
I your case, if you don't want users have to authorise your own app, maybe a client with password grant type is the solution. In theory the password grant type can be used to exchange a username and password for an access token directly, but I never experiment it with FOSUserBundle, and I find no example in the doc.
When you ready to use third party bundles, FOSOAuthServerBundle is one of the best solution