I've recently been doing a bit of web development so I've been thinking more about authentication and stuff. On Netflix I noticed there is an extra option on the Account page to de-authorize other devices. My girlfriend changed her password but I was still able to use it without re-entering the password till she logged out other devices.
So my question is how does authentication for Netflix work if it doesn't have to locally store your password?
Netflix uses a version of Open autentication to allow a device to access an account. Once the device has been authorized it will then have access to that account until its has been deautorized.
Chaning password doesnt matter becouse the device has autorization already probably in the form of a refresh token stored someplace. So its not storing a password its storing an autorization token of some kind.
Lets use facebook as an example: (response to comment below)
https://www.facebook.com/settings?tab=applications
This shows a list of all the crap I have loged in to using my facebook account. Now I have probably changed my facebook password sevral times it wont matter I will still have access. Some of these are mobil apps i have installed on my cellphone at one time or another. Even if i dont use them they still have access.
This doesn't technically answer the question, but is related and, I think, helpful:
You can forcefully invalidate the previously-validated tokens for other devices by going to https://www.netflix.com/ManageDevices - as soon as you go to the page it will ask if you want to sign out other devices.
(from "Someone is using my Netflix account without my permission" at https://help.netflix.com/en/node/18)
Related
I implemented a Linkedin connection in one of my apps. It works great but I need to enter my Linkedin credentials even if I'm already connected on Linkedin's website.
Note my picture in the upper right corner.
When I authenticate on Linkedin's website, I have something like 10 minutes during which I don't need to authenticate, just accept my application's permissions requirements.
I would like to get this behavior as long as I'm connected to Linkedin's website. For instance, I would like that a user that comes on my application, if he's already logged on Linkedin, only needs to accept my permissions requirements.
well this is totally up to your server. if you reboot the service/app then yes you have to log in. but once a user is loggedin you can use the refresh token to keep him logged in as long is possible (unless he logs out himself).
if this does accure while the app isnt getting any restart. you should definitly look at the refresh token.
I have a web application setup to handle webhook requests from an Actions-on-Google/Dialogflow application using the Google Assistant. Users don't need to sign-in to a google account in order to use my web application and I'd prefer to keep it that way, so that users can sign in with any email address.
I also want my users to be able to interact with my application using the Google Assistant, and be able to access personal/contextual data via the assistant (i.e. when a speaker says, "what's on my shopping list", the web app needs to be able to know what my means).
Currently, I have this working by using my web app to issue a unique short code to my user (in the web app UI) and then with an intent on the Assistant where the speaker says "My code is 1-2-3-4" and then my web app can identify the user from then on (by saving the userId from the webhook request to whatever user got the short code 1234 and then using that userId to lookup the user on each subsequent request.)
My question is, is there a better way to do this? Ideally, in my web app, I'd like to have something like an "Authorize Google Assistant" button, which would then link the user's google account to their web-app account, so that the conversation on the Assistant is seamless.
Has anyone done this before?
Thanks
This is the perfect use case for Account Linking with the Google Assistant.
From your users' perspective, they will start to use your Action. If they're doing so through a speaker and they haven't linked the account yet, they'll be directed to a mobile device to do so. On a mobile device, they'll be redirected to a page on your website where they will been to authenticate themselves and authorize your server to let them in through the Assistant. Once they have done so, they won't need to log in again, the accounts will be linked, and they'll be able to use the voice Action without further obstruction.
From your perspective as a developer, you'll need to setup an OAuth2 server (I suggest the code flow). That login process I mentioned is the first step in the OAuth dance, and will end up with you issuing a code to Google. They will then exchange this code for an Auth Token (with a limited lifetime) and a Refresh Token (which does not expire). They will periodically use the Refresh Token to get new, valid, Auth Tokens for this user. When the user issues a voice command, the Auth Token will be passed as a field in the JSON to your fulfillment server, and you can use this to verify who the user is and that they are authorized to use your service.
I have searched long and far for this on Google Identity documentation but my question seems to be out of it's scope (https://developers.google.com/identity/protocols/OAuth2).
This is what I have:
I have an app that is using Google's PHP Client library to authenticate a user via oAuth2. My application stores the retrieved token & refresh token from a user. I am able to use this token and refresh token to pull in information from various Google API's (Drive, Calendar, Mail, etc). I am also storing a cookie in browser to keep the user logged in to the application when the user closes the browser. I have created a simple way for users to login to the application via a QR code that matches up their stored token and refresh token. After the first login they are able to simply use a badge to login to the application.
This is what I want but don't know how to do
When a user logs into the application with their QR badge everything work perfectly (I am still able to pull in anything via the PHP Client Library/Google API's), however when a user goes to Gmail, Drive, or other Google service, Google is asking them to login (it's because they are not technically authenticated with accounts.google.com (only my application)). Is there a way to programmatically authenticate a user to accounts.google.com via a stored token/refresh token?
I was searching for a proper way to implement authentication of users with Google accounts into an app I'm developing. One thing led to another and I found this:
https://github.com/thephpleague/oauth2-google
They have a few implementations depending on how you may wish to implement OAuth2 (via separate repositories). I believe this directly answers your question, albeit 3.4 years later. Hopefully it will help someone else who is looking for this info.
I have built a website that uses Facebook, Google, Yahoo, Twitter and standard email/password for account signup. It all works fine on the web but my client wants to make the website an app. I've been experimenting with using webviews with appcelerator and it looks like it will work well. The problem is the websites session will expire after 30 minutes or so. The client wants to be able to stay logged in and prevent the users from having to re-loging in all the time.
I'm thinking I need to store the login details and automatically re-login when the session has expired. Would this be the best way to handle this?
I think this is solved. I've going to use asiviero's suggestion.
I'm trying to add Azure Mobile Service authentications to my WinRT app. I got everything working and I can sign in with all the 4 social media accounts(Facebook, Twitter, Google and Microsoft Account). But when I close the app and restart it, I have to write my user name and password even if I check the Remember Me button on either one of the options. Let say I logged in with my Facebook account, what I want to achive is, when I restart the app and click Login with Facebook, it shouldn't ask my username and password but automatically authenticate me. The remember me button seems to not working. Is there a way to achive this?
Thank you for the answers.
Edit: I'm using C#/XAML for my my app.
The following blog post covers caching the user's identity. http://www.thejoyofcode.com/Setting_the_auth_token_in_the_Mobile_Services_client_and_caching_the_user_rsquo_s_identity_Day_10_.aspx
According to this page: http://www.windowsazure.com/en-us/develop/mobile/tutorials/get-started-with-users-dotnet/
Note
... This method is easy to configure and supports multiple providers. However, this method also requires users to log-in every time your app starts. To instead use Live Connect to provide a single sign-on experience in your Windows Store app, see the topic Single sign-on for Windows Store apps by using Live Connect.