I'm currently making an application where the client (mobile device) will send tokens (it can be access_token, or id_token received from Apple after registering using Apple OAuth). In the backend,I will have to get the user information ( username, email ) from these tokens and save it to the database. Is there a way I can retrieve this information from Apple?
Related
If i've an application, and I use its app_id and app_secret to login and get an access_token and a refresh_token back.
The refresh_token can be used by any application or just by the one that created it?
Similarly, if the app is public (it does not require the usage of app_secret) is still the refresh_token linked to the application or can it be freely used by any other app?
A refresh token is associated to a client (and also to a specific user when applicable). Typically the Authorization Server will store details such as client_id, sub, refresh token hash, expiry and revocation status in a database table called something like delegations.
When a client sends a refresh token grant message, the client_id must also be sent:
For public clients, anyone who can get hold of a refresh token can send the request
For confidential clients, a client secret must also be provided. This can be a string value or a stronger credential, such as a client certificate.
In both cases the Authorization Server will typically use the received details to find the database row, return an error if the token is expired, revoked etc, or otherwise return a fresh access token. This article provides a good overview with sone further info.
I want to send 2-Factor Authentication token via email using Twilio's Authy api. I know Authy api offering Push Authentication, Soft token, SMS/Voice but is it also possible to send token via email?
If so, then can I register the user at authy without providing phone number and country code but just will give email address? Actually I only need to send token via email not over the phone.
Thanks.
Authy adds support for user authentication via email
https://www.twilio.com/changelog/authy-adds-support-user-authentication-email
Is there a difference between the firebase.auth().getToken() and the FCM registration token returned via Android setup: FirebaseInstanceId.getInstance().getToken()? I am currently using https://www.npmjs.com/package/firebase which uses the first method above to setup auth as well as generate a token. Using that token when trying to send a notification returns: error:InvalidRegistration...
The Auth and FCM tokens are different and unrelated.
The Firebase Authentication ID token identifies the user. A Firebase Authentication access token (auto-generated based on the ID token) grants the user temporary access to the Firebase back-end.
Firebase FirebaseInstanceId token (that is used by Firebase Cloud Messaging) identifies the installation of the app on a specific device.
For example: if you sign in to an app on two different devices, you will get the same authentication UID (although the access token will be different, each time you sign in on a device).
If you have the same app on two devices, the FCM token will be different. But if the app has sign-in functionality, the FCM token will be the same no matter who (or even if) a user is signed in or not. Furthermore: if a different user signs in to the same installed app, the FCM token will remain unchanged.
What I'm trying to do
I'm trying to create a web app that would fetch emails from a user's Gmail. I understand that I would require authentication via Google OAuth 2.0.
What I'm trying to do is setting a watch() request on an inbox. Then, when the watched inbox gets an email, I want to get notified. I'm using Google's PubSub API.
What I've done
I followed the steps given in the Gmail OAuth documentation, but am confused as to how to store multiple access tokens for multiple users.
So when the user first logs in using their Gmail account, I generate a code which I exchange for an access token. Then I store this in a database. However, when I get notified about an email, I only receive from the API the user's email address. I would like to do some further API calls for this user. So now I would need to retrieve the token for the specific user. But...
The problem
... How do I store access tokens by email? I only have access to their token once they login/authorize. Is there any way of retrieving the email address from an access token? I could then store the access tokens as key-value pairs of <email address>-><access token>.
You can do a Users: getProfile-request immediataly as they log in for the first time, like so:
GET https://www.googleapis.com/gmail/v1/users/me/profile?access_token=<ACCESS_TOKEN_OF_THE_LOGGED_IN_USER>
Response:
{
"emailAddress": "example#gmail.com", // Here is the user's email address.
"messagesTotal": 6446,
"threadsTotal": 4495,
"historyId": "570232" // Here is the current historyId of his account.
}
Then, when you get a push request via watch(), you can use the historyId in the response above to see what has happened.
Is it possible to obtain a users fb password, with granted permission?
I'm using it in a project that allows users to keep their sensitive data locked using their fb account.
It's for an iOS application, and right now I'm able to collect a users email, through the Facebook iOS sdk, and password, through a login "workaround", but I'm not sure if the app is going to get rejected due to infringement of facebook's and or apple's legal rights.
No, it is not possible to obtain a user's Facebook password.
I am not sure if the app will be rejected but I would personally avoid this solution.
I suggest to use the user's facebookId instead of the user's email.
If the secured data are stored in the app:
You only need the facebookId.
If the secured data are stored on a server:
Of course, checking only the facebookId isn't secure enough because anyone with a precise facebookId could login with it and get access to the "secured" data on your server.
What you need is two parameter to identify a user through your app:
The facebookId of the user
A secret key
You can send the secret key in your header request (or as a URL/BODY parameter if you want). It ensures that your server is called by your app an not from another source (a hacker).
What I would do to be more secure is to hash these two parameters in SHA1 so that even your request isn't readable. Then all you have to do is compare on your server the same key hashed in SHA1 with the one received.
For hashing a string to SHA1, here is a link : http://www.makebetterthings.com/iphone/how-to-get-md5-and-sha1-in-objective-c-ios-sdk/