We have a mobile application and end users are authenticated via Firebase.
Current behaviour
While onboarding users, we register every user on Firebase with an email and a mobile phone.
Once the user is created on Firebase we the use the link generation API generateSignInWithEmailLink and send an email to the users.
Users click on the email from their mobile phone and it automatically launches the App.
Desired behaviour
Instead of sending an authentication link in the email, we would like to use the SMS token validation feature of Firebase
This is very easily down via a browser based application.
How do we implement such a feature that on Android/Ios?
Option
We provide a custom backend HTTP end point which gets called by the user
From this backend, we instruct the Firebase Admin SDK to send a new SMS authentication token to the have any endpoint which allows the back end to send a SMS authentication token to the end user's mobile.
Is this possible? At first glance, I could not find anything in the documentation.
Thanks
https://firebase.google.com/docs/reference/admin/node/admin.auth.Auth
Firebase does not provide a generalized service for verification via SMS. You will have to find another service for that.
Related
In the system I work with, there are multiple web apps and native apps. All of them uses a dedicated web app to authenticate a user. This dedicated auth-web-app invite the user to sign-in and transfer his credential (credential.toJSON() as message) to the caller app. Once the credential received, the caller app uses the credential (OAuthCredential.fromJSON(...)) to authenticate the user in its own process.
Here's a video that describe the case.
After the user has been authenticated once already, this central auth-web-app keeps him authenticated, auth.currentUser stays defined in this environment. So when another app opens the auth-web-app, this already has a user in it. And I don't find a way to retrieve or create an AuthCredential from the current user in order to transfer its authentication to the other app.
Is there a way to get a credential from the current user without asking him to sign in again?
I have a web application that sends SMSs through RingCentral's APIs, but I am only able to sign in and to send SMSs with my account's main number. I would love to send SMSs from many of my extensions mainly to be able to send more SMSs. How can I choose the extension from which I send a SMS?
A RingCentral extension represents a user so to send SMS from different extensions, you will need an access token for each extension or user. There are a few ways to do this.
Password flow (server-side): If you are using a private app with password flow, you can bootstrap the system with static passwords for each extension. After the initial bootstrap you can use the refresh tokens to continue to receive active access tokens.
Auth Code flow (client-side): If you have end users with UI apps, your app can present an OAuth login to retrieve an access token for the user and then use refresh tokens afterwards. This will work with private and public apps.
I'm creating a react native app and adding instagram authentication to it. I want users to be able to "add" their instagram accounts to their main user account, so I have a "connect your instagram" button.
I have this working on my web app fine.. The flow is as follows:
User clicks 'connect instagram' button and a new window opens and is directed to https://instagram.com/oauth/authorize/?client_id=xxxx blah blah
User authenticates and instagram redirects to my REDIRECT_URI with a CODE parameter
My API server takes the CODE parameter and sends a post request to instagram with all the credentials.
Instagram verifies this information and gives me the users ACCESS_TOKEN
Can someone tell me how this is supposed to work in an app?
What's my REDIRECT_URI supposed to be? The server api?
Is it the same flow as my web app? If so, how do I get the users back to my app after the window is closed. How does my app know that the user now has an access token?
With a native application the flow is similar to what you described for the web application.
The Auth0 Mobile + API architecture scenario describes what should happen when you need to authenticate a user for a mobile application and then later access an API on behalf of that user.
Summary
you will continue to use the authorization code grant;
if the authorization server in question supports it you should use the PKCE (Proof Key for Code Exchange by OAuth Public Clients) for added security;
you will need to select how you will receive the code in the native application; you can use a custom scheme com.myinstaapp:, a local web server with the http: scheme or a few other options; (see this answer on OAuth redirect URI for native application for other alternatives)
you exchange the code obtained by the native application with an access token in a similar way to what you would do for a web application; (except for the use of client secrets which are in general not useful for native applications as they would be easily leaked)
Additional Information
The flow described in the Auth0 scenario assumes that authentication will happen through an OpenID Connect compliant flow and in addition you'll get the access token as specified by OAuth2. I'm not overly familiar with Instagram so if they only support OAuth2 that part is of course not applicable.
I am using Microsoft Bot Framework to build a bot that receives messages from a user and then connects to a a banking service he already registered. (In case you don't know Bot Framework, is just a Web Api where you post messages and it answers you according to the behaviour you specified in advance).
So the banking service knows his user and password. And let's say it also knows the user Skype's username, because the bot will be connected to a Skype Channel via Bot Framework Connector.
My question is: how can I authenticate (in the banking service) the user that sending messages to the bot? The idea of this is of course not to make the user send his credentials (user and password) via messages.
Making the bot send a link where the user can write his credentials and then trigger a callback is not an option. I need to make the authorization flow the most transparent I could do it for the user.
The only examples I currently have of Auth involve invoking a browser for the authenticating service where the user can enter their service-specific credentials, such as Mat Velloso's AuthBot sample on github: https://github.com/matvelloso/authbot
I assume your last statement means this isn't a valid option?
I am creating an android app that has access to an online Database. The initial app activity screen is a login form where the users credential are validated. If the credentials are valid then the app continues to the next activity. I've looked at OPENID and a few others methods. How would I implement OPENID or a another form of user authentication for my app. I would ultimately like to have a third party take care of user authentication and credential storage.
Have you tried looking at OAuth?
http://oauth.net/
OAuth Signpost is an android implementation of OAuth
http://code.google.com/p/oauth-signpost/
Server side, you need to provide an OAuth ready API, if your server is PHP, take a look at
http://code.google.com/p/oauth-php/