I am using Google Sign-In iOS SDK to implement the sign-in with Google feature. However, I am confused with the disconnect function.
GIDSignIn.sharedInstance()?.disconnect()
According to the documentation, it disconnects the current user from the app and revokes previous authentication. If the operation succeeds, the OAuth 2.0 token is also removed from keychain.
However, when I disconnect the Google Account in my app, I can still use the old id_token to fetch the user's data with the following API:
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=xxxxxx
I can only see the id_token will be expired according to the exp field which is 3600s since the token is created.
What does the disconnect() actually mean? Why can the user's profile be fetched even the Google Account has been disconnected successfully?
Related
When signing in using Sign in with Apple for the first time, it returns a value realUserStatus as a part of ASAuthorizationAppleIDCredential in the iOS client. This value indicates whether Apple is confident that the user is real, or not (e.g. it's a script)
My question is how can I verify the value of realUserStatus in my backend authentication system?
Because the realUserStatus is returned to iOS client, and the client should tell my server whether it is a bot or not! How can I know if it's not just a script and telling the server that it is real?
Edit (additional clarification):
In Apple’s docs it says “ You can skip any additional fraud verification checks or CAPTCHAs that your app normally uses.” but when we use CAPTCHAs, the provider can verify the response, something either Apple doesn’t do, or I can’t find anywhere how to do it!
I just finished a call with an Apple engineer on WWDC online lab.
So from the iOS 14, the realUserIndicator is included in the identity token, and can be verified with the server.
For iOS 13 they don't have a solution.
This flag serves as a basic first validation, meant to be used by your frontend. The identification servers will return this value only when the user first uses Sign in with Apple in your app.
If you want to verify the user on the backend, you should use the user identity token (JWT). You get it from Apple's servers when the user signs in (read here: https://developer.apple.com/documentation/signinwithapplerestapi/authenticating_users_with_sign_in_with_apple).
If you want to verify the user on the upcoming sessions, as an existing user (without the user having to sign in every time), you should develop a system of your own, for creating, saving, and validating a token. Another option is to use Firebase auth framework, which supports apple sign-in.
if you send the fetched user’s information to app server(your backend) you can verify user by the identity token with a rest service.
Apple document says:
After your app receives the user information, you can verify their associated identity token with the server to confirm that the token is not expired and ensure it has not been tampered with or replayed to your app. For information about retrieving the identity token, see Authenticating Users with Sign in with Apple.
https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/verifying_a_user
I am working on graph api to get user's liked pages videos. I have read https://developers.facebook.com/docs/ and requested for user_action.videos from Facebook. Now things becomes more confusing for me when i read about 1- OAuth Authentication, 2- temporary/long-lived access token and 3- test user as well.
1- As i believe as per my reading that OAuth Authentication for user is not required as it is done by FB SDK automatically. Is it right and if its wrong then how to authenticate user while using FB login dialogue as there is no URLRequest call in latest FB SDK login button?
2- After login through dialogue, I am getting an access token which is an expiry token and to keep user logged into my App; I have to convert that expiry token to long-lived token for 60 days every time when token is going to expire?
3- Is there any need for creating Test User in Facebook developer portal. Is there any role of it in development?
Any help would be greatly appreciated.
Is there a difference between the firebase.auth().getToken() and the FCM registration token returned via Android setup: FirebaseInstanceId.getInstance().getToken()? I am currently using https://www.npmjs.com/package/firebase which uses the first method above to setup auth as well as generate a token. Using that token when trying to send a notification returns: error:InvalidRegistration...
The Auth and FCM tokens are different and unrelated.
The Firebase Authentication ID token identifies the user. A Firebase Authentication access token (auto-generated based on the ID token) grants the user temporary access to the Firebase back-end.
Firebase FirebaseInstanceId token (that is used by Firebase Cloud Messaging) identifies the installation of the app on a specific device.
For example: if you sign in to an app on two different devices, you will get the same authentication UID (although the access token will be different, each time you sign in on a device).
If you have the same app on two devices, the FCM token will be different. But if the app has sign-in functionality, the FCM token will be the same no matter who (or even if) a user is signed in or not. Furthermore: if a different user signs in to the same installed app, the FCM token will remain unchanged.
I am trying to create a Daemon (code-only, server-only) app that can access my Personal Microsoft Account. I cannot figure out how to get an Access_Token that does not expire (or a refresh_token).
I can create a working non-expiring (admin logs in only once) Daemon app for my Business (Office 365) Account using the "adminconsent" endpoint detailed here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-protocols-oauth-client-creds/ or here: https://blogs.msdn.microsoft.com/tsmatsuz/2016/10/07/application-permission-with-v2-endpoint-and-microsoft-graph/. Unfortunately, I cannot use the "adminconsent" endpoint with my personal account -- returns "This operation can only be performed by an administrator" error. Is there a way I can enable adminconsent for my personal account?
OR
For my personal account, I can use the "authorize" endpoint (as detailed here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-scopes/) and it returns a code (that expires) that can be used to obtain the "access_token"; which works fine in Graph API -- until the access_token expires (3600 seconds). It does not return a "refresh_token". So, after the code/token expires, it then requires the user to log in again. How can I use the authorize endpoint to then obtain tokens that can be refreshed via code only?
Include the offline_access scope to get a refresh token. Be sure to replace your refresh token with the new one that comes back each time you refresh.
I am using Google Drive API(C#) with service account as mentioned in
https://developers.google.com/drive/delegation
I am able to work with DriveService object, but after 1 hr, it errors out with exception: "The remote server returned an error: (401) Unauthorized."
I know, by setting "access_type" to "offline" we could solve this problem, but I am not able to set this property for DriveService object.
Does anyone know how to refresh this Google Drive Service object?
Thanks in advance
Service accounts come with a private key - and that's their moral equivalent/superset of the refresh token that is returned as a result of a user-driven consent flow.
When a user consents to offline access (via a web server or similar OAuth flow) a refresh token is returned that can be swapped (along with the client secret) at any time for an access token.
In the same manner a service account private key can be used to sign an assertion that can also be swapped for an access token - that's useful for cases where no user is present to accept a consent screen, or where you are performing work on behalf of other users in your organization.
Once you get an access token it is treated in the same way - and is expected to expire after 1 hour, at which time a new access token will need to be requested, which for a service account means creating and signing a new assertion.
Generally noticing that the access token is expired and requesting a new one is taken care of for you by the Google client libraries - although I'm not familiar with the C# version. If you could share your code that creates the DriveService object that would be helpful.
When you set offline access mode, your app gets a refresh token when the user logs in for the first time.
access_type ::
Indicates if your application needs to access a Google API when the
user is not present at the browser. This parameter defaults to online.
If your application needs to refresh access tokens when the user is
not present at the browser, then use offline. This will result in your
application obtaining a refresh token the first time your application
exchanges an authorization code for a user.
You later use this refresh token to obtain a new access token, once the current access token expires. Basically, your app would then hit the token exchange endpoint (POST to https://accounts.google.com/o/oauth2/token) with the refresh token and your client credentials - google with then issue a (refresh token + access token) pair to you.
See this link for further clarification.
EDIT - I checked the Service Account documentation and found a sample C# app that fetches and uses refresh tokens too. See it here.I hope this one helps.