How to authenticate a user's identity using their phone - firebase-authentication

I am making an app with firebase that should allow a user to authenticate their identity when they get to a certain physical place in order to be let into the place. I want staff at the place to be able to use their own phones to securely verify the user's identity and let them in.
My first idea was to make the user's phone present a QR code with the uid of the user for the designated staff members to scan. The problem with that is that the uid is not a valid means of authorization in firebase because it is not a secret, which makes me worry that this approach may not be secure.
Is there any secure way for one phone to authenticate the identity of a user who is logged in on another phone?
EDIT: My question has nothing to do with logging in to the same user account using multiple authentication methods, it is about using a physical device connected to one user account to authenticate that a different physical device is connected to a different user account.

Related

Is it possible to recognize that a user is the same unauthenticated user in a subsequent session with guest access of federated identity?

Let's say a user makes a purchase. Is it somehow possible to detect that a user is the same person on a different device when using Cognito User pools with federated identities that allow guest access?
I don't want my users to have to provide an email address, but I want to know what is the most reliable way I can ensure they have the most access possible to any in app purchases they make.
Currently it seems not possible to do it.
The situation you described is like unauthenticated, so you will just get an identity id and that is always some random uuids to exchange for credentials.

Does / can Alexa replace its generated UserId for a linked user?

We have an application utilizing Alexa skill with account linking for user details.
According to Alexa's account linking documentation:
Our skill is set up for Account Linking which in turn refers to a 3rd party (or it could be internal) Identity Management System (IMS) for user authentication. Our application (as well as our organization) does NOT internally maintain the app's user identities.
Let's say the user enabled our skill on her device, at which point (according to the above docs) she was issued an Alexa generated userId, something like:
"userId": "amzn1.ask.account.AFMWOL5WIGQZLYYEMM2IJL2BJ26ICPQHBPR2DSLRX46CHW36R6CPVH7RZTUZMBCHHJLQQNU3YO2BWZWNIRTM3PCAGTNZKILK33PM2XVI36H4RSINFH2A26OLURAIB2RVPV6GMK56BR5BLBIFNJKT64EANASM7IDTQJBQLGDIEUZHUIM6VSHTTOUPVPITIPOIOPESUK53TSALU5I"
Consequently, upon further interaction with the skill, she wanted to access some more personalized information which triggered account linking so her identity was confirmed and re-established via provided account linking details (OAuth 2 Authorization Code Profile), which, while doing so, as mentioned before contacted the 3rd party Identity Management System (not LWA) to verify the user identity:
the user is presented with a login screen,
she enters her credentials, say: "alice"/"password123"
she answers the relevant questions to permit certain actions that our app can do on her behalf and
is allowed to further interact with the system on a more personalized basis
Let's say that inside our app, we want to be able to identify the user by her real userId: alice and NOT the one auto-assigned by Amazon, as described above.
Does Alexa allow for this?
Upon successful account linking, does Alexa overwrite in its JSON request (or can it somehow pass it through, along with now embedded accessToken field) the userId it receives from the 3rd party Identity Provider) so that that "real" userId (is it called subjectId in OAuth parlance?)can then be used to identify the user actions during her further interactions with the app?
If yes, how can we obtain the user details from JSON via Alexa Java API?
If no, what would be possible ways to facilitate such ability?
Can the real userId be obtained from the accessToken that Alexa puts in its request after authenticating a user? If so, how?
I'm not sure if it's related to this, seems to be a similar request, has it been put on Alexa's roadmap or became a feature already?
This seems to be a detailed version of How to obtain userId specified by Alexa user during account linking
Generally speaking, after the user complete the OAuth authentication, the application (i.e. Alexa in this case) would receive a access_token and refresh_token. If you want any additional data, e.g. username alice, email, phone, address...etc., you would need to check with your OAuth provider and see if they have an API to retrieve those based on the access_token with the appropriate scope.

How to associate data with a user that has been authenticated with Google oauth?

So I am having some trouble figuring out how to implement a sign-in for my app using google oauth. Every example I see shows how to authentication the user, get their permissions and then start using the Google APIs.
I do not care about permission or using Google APIs. All I want to do is have the user sign-in to my app using google oauth instead of having to implement my own authentication system with user and passwords in the database.
After the user authenticates with their google account, then they can change settings associated with their account for my app. What is the flow i need to implement to achieve this?
How would I associated a google user with certain data defined in my own app's database? I have successfully implemented the authentication part but then what would I need to store in my DB to associate them with their actions and data. Would I need to use sessions? and then retrieve their Google+ ID, save it in the database and then use that to identify them in the database for later when they log in again?
any help is appreciated
Once the the server validates the access token, a user account can be created in the database, saving the Google ID along other user details (ID, email, name etc).
If your application also supports normal registration, and an account is already present for that user (matching email), then you can just fill in the (nullable) Google ID column in order to link the account(s).

JSON Web Token (JWT) - one account multiple users

If I'm using JWT to authenticate users to get access to my API, would it be possible to create one "generic" account for many users to use? That way, users who don't have a "real" account, would be given this generic account credentials in order to access the API. Would that be possible? Because, I'm wondering, with JWT, if one users log in, would I invalidate the other user token?
If that approach would not work, what would you recommend?
The reason: I want my app to communicate with my server, even if the user doesn't have an account created. But I would not like to keep that "door" open, hence I would like to add some kind of authentication for those people who are using the app but don't have an account. Suggestions?
Create accounts connected with accountgroups. This way you are also able to create temporary accounts having less permissions for example. And multiple clients are able to access same data and same time.
So the Payload is owned by the accountgroup, the client authenticates with a (maybe temporary) account and gets authorization via accountgroup.

Secure strategy for staying logged-in when using OpenID

I have a website that uses OpenID to sign in users. The library I'm using, returnes a user profile when the user logges in. This profile contains user's email, name, a link to the avatar and an ID which the OpenID provider has returned.
My strategy for keeping the user logged in is this:
When the user logges in for the first time, I create a hash code based on the OpenID's returned ID
I store this hash code alongside the user's ID in 2 cookies.
When the user comes to my website, I check for these cookies, and if they're available, try to match the ID and the hash code, if it's correct, I log the user in.
Now the problem is this: if somehow this cookie information gets stolen from the user, the hacker can easily log in instead of the user himself. I could create a new hash code for each time the user logges in and update the user's cookeis but it'll make the information of other browsers/computers cookies invalid.
Since the StackOverflow website does not suffer from such problem, I would like to know what should I do to both secure my login strategy and add the functionality to stay signed in for the users.
The standard way to do this is to assign a meaningless session ID and send that as a cookie; in your database, you can store the user's credential information alongside that session ID. When a user logs out, you can invalidate that session ID.
Isn't this a problem with ALL mechanisms for letting the client stay logged in? If you log into your, say, gmail, and I steal your cookies, and put them in my own browser, there is no way to distinguish my browser from your browser and I get access to your gmail. There's no way to stop the kind of attack you're suggesting, I believe (other than the user keeping their computer free of viruses etc. that could steal the cookie)