What will happen to firebase login credentials after we transfer our app to a different developer account?
Will our app lose access to login credentials since they are stored in Keychain?
In our app, we use a "custom authentication system".
We don't require emails or passwords from our users while signing in.
Instead, we call a cloud function that creates a user and sends an auth token back to the clients.
In client app, we sign in our users with Auth.auth().signIn(withCustomToken: token)
How can we overcome this problem without losing users' login credentials in our app if we'll lose that credentials? What precautions can we take before the transfer?
Thanks.
Related
Currently, I'm trying to upload an app to the App Store but since my application is OTP-based login, even if I provide my number it'll send the OTP to my number. I'm also using JWT tokens for every logged-in user. Internally every API call is using JWT Auth, So demo creds will be too much of a workaround
I've sent the test credentials as my number and some random OTP and also I provided the details in the notes section but my app got rejected mentioning credentials are not valid. Any workaround for this?
Should I check user auth ( user name , password, device token) in webservice every time when my mobile application is launch?
I currently developing an ios application that will need user to login with their username and password ( for the first time of application launch).
After that user information will save in app local data and user no need to key in username and password again.
My idea is to check if the user is still active-user by calling the web service whenever the application is launch.
My question is , is that necessary to check whenever the app is launch .?
And is there any design pattern to control the user auth for ios app.?
Generally, you should not store username and password locally, but if you MUST, then store it in iOS keychain and not in local app db. (If you are not familiar with keychain follow this tutorial)
To be able to 'not' save username and password in the app, you need to implement an authentication mechanism (like OAuth 2 : check this tutorial) which handles authentication via web view and needs client to only use the authorized token.
To refresh the token, you need a 'refresh token' api which can check if the token is valid and if expired you can prompt user to enter credentials or use the ones store in keychain to refresh the token automatically.
Note : you can find many more such tutorials on https://www.raywenderlich.com and elsewhere if you just google it.
Note 2 : Although OAuth 2 is more centered around giving access to 'third party', it is a good enough model for normal authentication mechanism. Please spare all the hate in comments for suggesting OAuth 2 for normal authentication.
I am having difficulty navigating Amazon's documentation. I currently have an app that logs in using Firebase's email and password identification. How do I connect this to my data stored in AWS using Cognito? My app is in Objective C.
Unfortunately without a backend, you cannot integrate Firebase Login with Cognito since it doesn't support OpenId Connect. With a backend, you would need to implement the Developer Authenticated Identities flow as follows:
Implement AWSAbstractCognitoIdentityProvider
In the refresh method:
Login via Firebase
Make a https call passing the Firebase Login
token to your backend and validate
From your backend, call
GetOpenIdForDeveloperIdentity using Developer Credentials
Pass
results back to the device
Update the identity id and the logins map
I'm developing a DropBox app - one that has no use if the user is not authenticated by DropBox. Therefore it would be useless to have separate account management in my app, (using the DropBox accounting should suffice).
The oauth sequence suggested by DropBox does both authentication (having the user sign in with her DropBox credentials), and authorization (having her approve my app to access her DB account). This is good for the first time the user signs-in to my app. But once my app is approved and "installed" on the user's account, I don't want her to be prompted whether to allow my app access, every time she logs in. Is there a way to skip the authorization page?
Some time passed, but now there is a way to allow permanent access to dropbox API.
You need to generate access token from the application settings and use it.
Here is what dropbox says:
By generating an access token, you will be able to make API calls for your own account without going through the authorization flow. To obtain access tokens for other users, use the standard OAuth flow.
So my intention is to have a login in my iOS app that allows for either our standard email/pwd registration, or login with Facebook. We are also creating rest services to get application info for a given user, e.g. https://url/getPosts/[userId]?userPwd=foo
I've implemented SSO with fb in a web application before but I have some concerns about the security of authentication in a iOS client scenario. The key difference from what I've done before is that in a web app, I was making a server to server call to Facebook to get the access token so I was reasonably assured that the user was authenticated and the web server made privileged calls to the database. In the iOS case, I have the mobile client app making the Facebook iOS authentication request itself and the server has to somehow trust that this user from the client app is indeed authenticated against the matching user record in our database.
My question is how do I generate a durable and secret unique key from the iOS SDK so that I can create and associate a matching user record in our database for users that authenticate only with Facebook. I want this to be seamless so the user would not have to manually fill out another form, and we would just automatically create this matching user record in our db.
I could insert a record into my own users table when they fbDidLogin with Facebook, using the Facebook Id as the unique identifier, and the fb access token as the pseudo password/key for my own user record. I would have to validate the access token with Facebook to make sure it's valid before saving it as a password for the user (the user would never see this password, it would just be passed by the client app during api calls). That way when the user makes a call to our own rest api via the iPhone app we can authenticate and authorize using this secret/pwd/key.
An alternative that would make this whole question moot is to just handle the authorization logic on the client app, and check that there is a valid fb session before making calls to our own apis which I secure with just a single application-wide secret, but that doesn't seem as secure since getting that one secret gives authorization to data on all users. I'd rather authorize at an individual user level. Is that the right choice? Am I being paranoid about iOS security?
The fb access token expires so that might not seem durable, however if I enable offline access that token won't expire but creates a scarier looking oauth dialog window. An alternative to the access token is to hash the fb Id with an application secret key on the iOS client, and use that as the Facebook user's password in our db. However, that again is a single secret key that could perhaps be reverse compiled from the iOS client app?
Design for Facebook authentication in an iOS app that also accesses a secured web service
This post helped me undesrtand it more. If I am not mistaken, the flow goes like this:
User authenticates in iOS app
iOS app takes auth token, sends it to the rails app
Rails app takes auth token and sends it to graph.facebook.com/?auth_token=XXX to get back the user if authentication was successful.
Rails app takes the user info and matches/creates user in own database table. Sends some kind of authentication key back to iOS app.
iOS app saves the authentication key so it can use it to communicate with the rails app.
Let me know if I am missing anything.
Have you looked at the iOS docs for Single Sign On (SSO)? https://developers.facebook.com/docs/guides/mobile/#ios
You can share an app ID across mobile, canvas and web site and the same user auth works for each environment.
Check out: https://developers.facebook.com/docs/authentication/
Facebook Platform provides a number of ways to use the above OAuth flows in different app types, including Websites, Apps on Facebook.com, Mobile and Desktop Apps.
You just need to insert users Facebook key to your database to know if its authenticated with Facebook. Use OAuth at ios side authenticate user take users secret key send it to your rest web-service and save it with users other info.