We're building an application which accesses files in Google Drive. Our application has a web UI, an Android App and an iOS app. We use oAuth2 to let the user authorize our app to access their Google Drive account. We use the Google Drive Java SDK in the web application and the Android/iOS SDK of Google Drive for mobile. We're unable to use the oAuth tokens returned by the Android SDK in iOS and vice versa. We also can't use the token received by the Java SDK(by our web server) in the Android app. Because of this, we have had to create separate oAuth clients for each platform(web, Android, iOS) and the user needs to authorize once on each platform, which is not very user-friendly. Is there a better way to use the same oAuth token across clients? Am I missing something very basic here?
You'll need to get a token on iOS and Android for the server.
See this doc for iOS
See this doc for Android
On each of the app, you'll ask a user to sign in first. Then check on the server if there is already a token or not. If not then ask for that access and store the token on the server.
Related
I am working on an android and iOS application that needs to have a password-less solution for login. We are trying to implement WebAuthn/Fido2 device.
The problem is that Fido is still new and there is no React-Native library that implements that. So I have a few questions regarding it.
Can we read and write our own key in the Fido2 device?
=> Till we get a proper library, I want to store an encrypted password on the fido2 device as a key, read it every time on login, and decrypt it. Is it sounds good to implement and is it possible to do?
#DevPy
To support WebAuthn/FIDO2 from your React Native iOS application, the recommended solution is to integrate one of two Apple iOS system browsers (ASWebAuthenticationSession or SFSafariViewController) that support WebAuthn APIs. ASWebAuthenticationSession would be my first choice as this browser is for authentication through a web service, specifically the OAuth 2 flow. This provides the interface, built-in APIs for interacting with the FIDO2 authenticator, like the YubiKey, and gives the developer control with callback to the session and authentication token. Another way to integrate WebAuthn is to utilize a third-party SDK for communicating with OAuth 2 providers. For example, AppAuth for iOS has a React Native bridge, available here. I believe the AppAuth SDK uses the ASWebAuthenticationSession.
As for the initial question of writing/reading your own custom key, the FIDO2 devices are limited in storage space but the YubiKey offers two options that may work for you. One is the option to create a static password (not encrypted) or utilize the Yubico OTP. Both options use the system keyboard to type out the password or OTP into any text/password field within your app. No SDK or system browser required.
FIDO2/WebAuthn is specifically a browser API. Since you're talking about authentication within a (React) native app then you'll probably want to fall back to equivalent native OS API's instead.
For Android you can use the Fido2ApiClient, which will let you leverage existing FIDO2 credentials on your server for in-app authentication:
https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2ApiClient
I think the equivalent on the iOS side of native app development is Authentication Service. They have a page specifically about leveraging "passkeys" in your app that will probably help get you started:
https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication
When reading the doc of google oauth API, I found that it does not offer refresh token to Javascript (JS) web app, as mentioned in below link. It says "Refresh tokens are not typically used in client-side (JavaScript) web applications."
https://developers.google.com/identity/protocols/oauth2/web-server
However in the following page it offers the refresh token (as well as client secret) to native app. Seems strange that both JS web app and native app are not confidential. Shoudn't it also not to offer refresh token and client secret to native app?
https://developers.google.com/identity/protocols/oauth2/native-app
Thanks
A refresh token in a client sided application where anyone could view source and see the refresh token and client id and client secret. This would mean that anyone could then create a new access token to access the data.
If I understand what you mean by native apps they are run on a users machine and there by the only one in theory who would be accessing that machine would be the user who is accessing their own data. Native apps can also better protect the various secrets from both the user and other apps. So while it is still an exposure risk - the risk is significantly lower.
Use a server side web language if you want a refresh token.
My captive portal allows my guest wifi to use their Google auth credentials in order to allow access to my wifi.
The portal triggers an OAuth 2.0 with Google service and get back the user profile.
Google decided to stop supporting OAuth 2.0 in Embedded browser on April 22nd 2017.
https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html
As far as I know, there is no way to force IOS or Android devices to start a real browser during the captive portal detection process.
I have sent emails to both oauth-help#google.com and oauth-feedback#google.com. It's been a month and no response.
I get the feeling that these mailboxes are not monitored.
Did anyone get any alternative method?
Currently our app uses OAuth requests in web-views.
Google will not allow OAuth requests in an embedded browser called "web-views".google_developer_blog
So, we are planning to use Firebase Authentication.
This method is not in best practice, but I would like to tell you if there is any problem.
Thank you in advance.
Google OAuth plans to deprecate embedded webviews. However, you are OK to use SFSafariViewController for iOS apps and Chrome Custom Tab for Android Apps. If none of these are supported, you can open a system browser. All of these flows are allowed for OAuth flows and are more secure than embedded webviews.
Can any one provide a sample code so that I can login to my application with the google credentials using OAuth.
Google has GData.framework which allows access to google services. Try checking it out. Not sure about access to 3rd party apps with google credentials.