Where to store the user info in a Windows 8 app? - xaml

I'm creating a Windows 8 app. I have a login screen and when I press a button it will authenticate against a REST API. But what do I do when the user is authenticated? Where is the "session"? How can I store who the user is? So far my search has taken me to these answers
1. ApplicationData.Current namespace
Where would I store session specific data? Local application data? Temporary application data?
2. Password Vault
I've seen this suggested to a similar question, but as far as I understand this is just a password store? How would it help me to keep the current user in session? Or would I simply for a every view I load question the Password Vault:
This is the users Windows Live ID, what id does he have in my app?
3. CookieContainer
Is it possible to store the user info in a cookie when doing a Windows 8 app?
It seems to me a rather simple question to which I hope there is a simple answer :)

I have an app too with an authentication against an REST service with a simple OAuth authentication and I store the credentials (AccesstToken and AccessToken secret) in the PasswordVault. One of the advantages (apart from being stored securely) it's synchronized between Windows 8 devices. In the PasswordVault you store the username and the Password in a PasswordCredential
http://msdn.microsoft.com/en-us/library/windows/apps/windows.security.credentials.passwordcredential.aspx

Related

Authentication with Vue.js | Flask-RESTful and Google Sign-In

I am still a newcomer to both the Vue.js as well as the Flask framework. I have created a simple todo app that consumes JSON endpoints from Flask and uses Vue.js to display the UI.
My app has a TODO, PROJECT and USER model. I have successfully implemented a "normal login" through my own user model. The flow for this one:
The user fills in username and password.
POST request to Flask API that saves the user with a hashed password in the database.
The user can log in through an /auth endpoint and receives a JSON web token in return.
When the user logs out, the token is destroyed.
Now I want to implement a google sign in along with the existing user model. I could successfully create a call to the google API and have retrieved the user data from google in the vue.js client. But this is where I am stuck.
What should I save in my database now? I don't have a password for the user, but only a token to identify later when I have sent the data to the Flask server.
Should I save both Google Auth users and the normal users in the same database table? How can I differentiate between them when I retrieve their information to check if the user exists?
As I am very concerned about building safe applications in the future, I would like to really understand what the best practice in such a situation is.
Thanks for your help!
For anyone interested in this topic: I ended up saving all users in the same database table and created a boolean whether the user was logged in with a password/username or with an OAuth provider. If so, the provided token could be used to verify the user.

Google Authentication via PHP Client Library/oAuth2

I have searched long and far for this on Google Identity documentation but my question seems to be out of it's scope (https://developers.google.com/identity/protocols/OAuth2).
This is what I have:
I have an app that is using Google's PHP Client library to authenticate a user via oAuth2. My application stores the retrieved token & refresh token from a user. I am able to use this token and refresh token to pull in information from various Google API's (Drive, Calendar, Mail, etc). I am also storing a cookie in browser to keep the user logged in to the application when the user closes the browser. I have created a simple way for users to login to the application via a QR code that matches up their stored token and refresh token. After the first login they are able to simply use a badge to login to the application.
This is what I want but don't know how to do
When a user logs into the application with their QR badge everything work perfectly (I am still able to pull in anything via the PHP Client Library/Google API's), however when a user goes to Gmail, Drive, or other Google service, Google is asking them to login (it's because they are not technically authenticated with accounts.google.com (only my application)). Is there a way to programmatically authenticate a user to accounts.google.com via a stored token/refresh token?
I was searching for a proper way to implement authentication of users with Google accounts into an app I'm developing. One thing led to another and I found this:
https://github.com/thephpleague/oauth2-google
They have a few implementations depending on how you may wish to implement OAuth2 (via separate repositories). I believe this directly answers your question, albeit 3.4 years later. Hopefully it will help someone else who is looking for this info.

Azure Active Directory - Authentication without browser window

Is it possible to achieve Azure Active Directory authentication without going to browser window? I will have username and password via the mobile app login interface.
I need to achieve below scenario:
Use open mobile application (ios/android)
Enter Azure AD username and password to app login screen - e.g. user#tenant.onmicrosoft.com & password
I pass those information to .net web service - which need to call some Azure AD api to validate user credential before proceed to perform other business logic/make database calls
Any recommendation? I DON'T want user to redirect to any login window/page as this will not be good user experience.
I have already checked few different articles but not satisfactory response yet.
Thank you for your time.
I believe below link is helpful.
http://www.cloudidentity.com/blog/2014/07/08/using-adal-net-to-authenticate-users-via-usernamepassword/

Netflix doesn't logout other open sessions with password change

I've recently been doing a bit of web development so I've been thinking more about authentication and stuff. On Netflix I noticed there is an extra option on the Account page to de-authorize other devices. My girlfriend changed her password but I was still able to use it without re-entering the password till she logged out other devices.
So my question is how does authentication for Netflix work if it doesn't have to locally store your password?
Netflix uses a version of Open autentication to allow a device to access an account. Once the device has been authorized it will then have access to that account until its has been deautorized.
Chaning password doesnt matter becouse the device has autorization already probably in the form of a refresh token stored someplace. So its not storing a password its storing an autorization token of some kind.
Lets use facebook as an example: (response to comment below)
https://www.facebook.com/settings?tab=applications
This shows a list of all the crap I have loged in to using my facebook account. Now I have probably changed my facebook password sevral times it wont matter I will still have access. Some of these are mobil apps i have installed on my cellphone at one time or another. Even if i dont use them they still have access.
This doesn't technically answer the question, but is related and, I think, helpful:
You can forcefully invalidate the previously-validated tokens for other devices by going to https://www.netflix.com/ManageDevices - as soon as you go to the page it will ask if you want to sign out other devices.
(from "Someone is using my Netflix account without my permission" at https://help.netflix.com/en/node/18)

Is there a way to get the "remember me" checkbox work on Azure Mobile Service authentication for WinRT apps?

I'm trying to add Azure Mobile Service authentications to my WinRT app. I got everything working and I can sign in with all the 4 social media accounts(Facebook, Twitter, Google and Microsoft Account). But when I close the app and restart it, I have to write my user name and password even if I check the Remember Me button on either one of the options. Let say I logged in with my Facebook account, what I want to achive is, when I restart the app and click Login with Facebook, it shouldn't ask my username and password but automatically authenticate me. The remember me button seems to not working. Is there a way to achive this?
Thank you for the answers.
Edit: I'm using C#/XAML for my my app.
The following blog post covers caching the user's identity. http://www.thejoyofcode.com/Setting_the_auth_token_in_the_Mobile_Services_client_and_caching_the_user_rsquo_s_identity_Day_10_.aspx
According to this page: http://www.windowsazure.com/en-us/develop/mobile/tutorials/get-started-with-users-dotnet/
Note
... This method is easy to configure and supports multiple providers. However, this method also requires users to log-in every time your app starts. To instead use Live Connect to provide a single sign-on experience in your Windows Store app, see the topic Single sign-on for Windows Store apps by using Live Connect.