I have built a website that uses Facebook, Google, Yahoo, Twitter and standard email/password for account signup. It all works fine on the web but my client wants to make the website an app. I've been experimenting with using webviews with appcelerator and it looks like it will work well. The problem is the websites session will expire after 30 minutes or so. The client wants to be able to stay logged in and prevent the users from having to re-loging in all the time.
I'm thinking I need to store the login details and automatically re-login when the session has expired. Would this be the best way to handle this?
I think this is solved. I've going to use asiviero's suggestion.
Related
I implemented a Linkedin connection in one of my apps. It works great but I need to enter my Linkedin credentials even if I'm already connected on Linkedin's website.
Note my picture in the upper right corner.
When I authenticate on Linkedin's website, I have something like 10 minutes during which I don't need to authenticate, just accept my application's permissions requirements.
I would like to get this behavior as long as I'm connected to Linkedin's website. For instance, I would like that a user that comes on my application, if he's already logged on Linkedin, only needs to accept my permissions requirements.
well this is totally up to your server. if you reboot the service/app then yes you have to log in. but once a user is loggedin you can use the refresh token to keep him logged in as long is possible (unless he logs out himself).
if this does accure while the app isnt getting any restart. you should definitly look at the refresh token.
I'm creating a web app and decided to use google authentication for its ease of use.
Thing is, I want to only let certain emails login. All other emails should not be able to login!
How do I do that?
I'm aware that I can send the auth token to the backend, verify it with google's library, and then filter the emails but... there should be an easier way, I hope?
You need to consider how Open id and oauth work. You are technically forwarding a user over to googles login page. They login and approve any apis on Googles site you have no way of knowing who they are until they are redirected back to you.
Nor is there any way to limit the users who can login to your client directly in Googles Developer console for your project. TBH i think that would be really hard for them to administrate.
Your best bet is going to be checking the users email when they return and decide that that time if they may login or not. It would be also be a good idea to do a revoke on any credentials google returns to you if you dont want them to have access.
I have searched long and far for this on Google Identity documentation but my question seems to be out of it's scope (https://developers.google.com/identity/protocols/OAuth2).
This is what I have:
I have an app that is using Google's PHP Client library to authenticate a user via oAuth2. My application stores the retrieved token & refresh token from a user. I am able to use this token and refresh token to pull in information from various Google API's (Drive, Calendar, Mail, etc). I am also storing a cookie in browser to keep the user logged in to the application when the user closes the browser. I have created a simple way for users to login to the application via a QR code that matches up their stored token and refresh token. After the first login they are able to simply use a badge to login to the application.
This is what I want but don't know how to do
When a user logs into the application with their QR badge everything work perfectly (I am still able to pull in anything via the PHP Client Library/Google API's), however when a user goes to Gmail, Drive, or other Google service, Google is asking them to login (it's because they are not technically authenticated with accounts.google.com (only my application)). Is there a way to programmatically authenticate a user to accounts.google.com via a stored token/refresh token?
I was searching for a proper way to implement authentication of users with Google accounts into an app I'm developing. One thing led to another and I found this:
https://github.com/thephpleague/oauth2-google
They have a few implementations depending on how you may wish to implement OAuth2 (via separate repositories). I believe this directly answers your question, albeit 3.4 years later. Hopefully it will help someone else who is looking for this info.
I've recently been doing a bit of web development so I've been thinking more about authentication and stuff. On Netflix I noticed there is an extra option on the Account page to de-authorize other devices. My girlfriend changed her password but I was still able to use it without re-entering the password till she logged out other devices.
So my question is how does authentication for Netflix work if it doesn't have to locally store your password?
Netflix uses a version of Open autentication to allow a device to access an account. Once the device has been authorized it will then have access to that account until its has been deautorized.
Chaning password doesnt matter becouse the device has autorization already probably in the form of a refresh token stored someplace. So its not storing a password its storing an autorization token of some kind.
Lets use facebook as an example: (response to comment below)
https://www.facebook.com/settings?tab=applications
This shows a list of all the crap I have loged in to using my facebook account. Now I have probably changed my facebook password sevral times it wont matter I will still have access. Some of these are mobil apps i have installed on my cellphone at one time or another. Even if i dont use them they still have access.
This doesn't technically answer the question, but is related and, I think, helpful:
You can forcefully invalidate the previously-validated tokens for other devices by going to https://www.netflix.com/ManageDevices - as soon as you go to the page it will ask if you want to sign out other devices.
(from "Someone is using my Netflix account without my permission" at https://help.netflix.com/en/node/18)
I'm trying to add Azure Mobile Service authentications to my WinRT app. I got everything working and I can sign in with all the 4 social media accounts(Facebook, Twitter, Google and Microsoft Account). But when I close the app and restart it, I have to write my user name and password even if I check the Remember Me button on either one of the options. Let say I logged in with my Facebook account, what I want to achive is, when I restart the app and click Login with Facebook, it shouldn't ask my username and password but automatically authenticate me. The remember me button seems to not working. Is there a way to achive this?
Thank you for the answers.
Edit: I'm using C#/XAML for my my app.
The following blog post covers caching the user's identity. http://www.thejoyofcode.com/Setting_the_auth_token_in_the_Mobile_Services_client_and_caching_the_user_rsquo_s_identity_Day_10_.aspx
According to this page: http://www.windowsazure.com/en-us/develop/mobile/tutorials/get-started-with-users-dotnet/
Note
... This method is easy to configure and supports multiple providers. However, this method also requires users to log-in every time your app starts. To instead use Live Connect to provide a single sign-on experience in your Windows Store app, see the topic Single sign-on for Windows Store apps by using Live Connect.