For an App I'm working on, we're considering part of an organisation's pricing being based on the number of users an organisation has. For this, we'd need some mechanism to ensure that a user's login isn't shared within an organisation.
One approach would be to use UIDevice.currentDevice.identifierForVendor, but this wouldn't allow a user to be signed in with more than one device.
I wondered if there is some way to access an anonymised version of the user's Apple ID, hashed and salted with our vendor ID (and even application ID) so that it doesn't allow for tracking and introduce privacy concerns.
Using this at login would restrict a user account to only be used by devices having the same Apple ID, which would be a good enough protection against account sharing, I think.
If not – any thoughts on how else we might add a per user component to pricing?
Thanks.
Related
I'm working on a social media project where users can sign in with their different profiles on different platforms (Facebook, Twitter etc.)
Currently, the app hasn't got a sign in option via Apple. The thing I want to achieve is, after signing in with Apple, storing that respective user's app store id(s) (if there is any) to later make it possible to query (and show) the reviews made under user's particular applications.
I search through app store connect API documents, but cannot find any solid info. And, run into some outdated discussions, thus cannot be sure about the questions in my mind:
Is it possible to retrieve an Apple User's app store ID(s) after make her signing in with Apple?
If yes, what is the necessary endpoint to retrieve app store IDs?
Lastly, I understand I also need to create an account on Apple for my app to make these sign in features possible on my app. Should I require to pay for my Apple account to make these kind of features (signin in, making API endpoint calls etc.) activated on my app?
Thank you in advance.
I am currently uniquely identifying a user by storing the FacebookID of that user. I recently read around and I saw that this is incorrect usage and that Facebook ID's can change for some reason, all in all that I shouldn't use them. Is this true? If so, is a AWS Cognito ID that is derived when a new facebook user signs in and authenticates themselves a viable way to uniquely identify a user? If not, How would I uniquely link a facebook account, with apparently no variable that is stable enough to store, with a unique identifier to store in my database?
Check the following statement (from the official documentation: https://developers.facebook.com/docs/apps/upgrading):
No matter what version they originally used to sign up for your app, the ID will remain the same for people who have already logged into your app. This change is backwards-compatible for anyone who has logged into your app at any point in the past.
So, you can use the Facebook ID to uniquely identify your users.
However, depending on your use case and the way you plan to manage security, you should consider a few more things. The purpose of AWS Cognito ID is not to be communicated between users, it is kept between your app and Cognito. So if you want users to communicate using their accounts (sending text messages for example), the Facebook ID is more suited for that. Nevertheless, I am experiencing this problem when trying to achieve fine-grained access control using DynamoDB.
As Hatim said, the Cognito identity id is not meant to be shared between users.
That being said, once an identity id has a login associated to it, it could only change on merging with another authenticated id. Unless you're doing that, which it doesn't sound like you are, it would be a stable way to identify your users. You could use the identity id as the identifier in your database, as long as it isn't exposed.
If you're using DynamoDB, as this blog post explains, doing it this way allows you to configure your IAM roles to make access to this data more secure.
I want to create an iOS app and use Facebook Login and it will also have other way to Login with email. I thought of keeping email-id field mandatory and unique so that users can be identified uniquely irrespective of the way of login!
Apple keep all the apps in serious consideration so does apple restrict this mandatory field of email in Facebook Login?
Does apple come into picture while communicating to Facebook Server?
Will Apple reject the app if email field is mandatory?
Apple does not allow apps that require you to share person information to work, like an e-mail address.
See: 17.2: Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected
It also states that your app is asking to create an account to access the full app and even needs the account or access features that do not require the user to have an account. You can make those features available without the account creating you might be able to get through the review.
If your app is featuring only account based functionality that is specific to a user, i don't think you will get rejection on asking users to register via email. Snippet from Apple app review guideline's clause 17.2 -
"Apps cannot require user registration prior to allowing access to app
features and content that are not associated specifically to the user.
User registration that requires the sharing of personal information
must be optional or tied to account-specific functionality.
Additionally, the requested information must be relevant to the
features."
I'm integrating with the Nest API and I'd like to know to whom an access_token belongs. I don't need an email or name or anything identifying the account holder, I just need a unique account identifier.
Is there something like https://developer-api.nest.com/account.json or user.json?
Documentation: API Reference
There isn't something account specific, but both structures and devices can only belong to one account, so you could use the structure_id as the unique identifier. It is unlikely that a user would delete their primary structure (kind of hard to to) and you can guarantee that any two users don't have the same structure.
You might notice this ID is different for each developer account, this is to protect the user's privacy. (e.g. developers can't serve ads based on unique identifiers)
Me and my colleagues developing an application (both web application and mobile app(iPhone & android)), which includes a login process.
Currently, we have our own login mechanism (where users have signed for an account on our app, and have stored their info in our Database). We are looking into integrating oAuth and allowing users to login with Facebook, Twitter, LinkedIn and Google.
Now, when the users logs with any of those, as I understand the login process occurs outside our application and basically only get permission to access their resources.
My question is this: through oAuth, how do we remember users? i.e., users who login have read /write privileges and have preferences. How do we remember those when they don't actually sign up through our app.. Can we store their email address in our "Users" table??
What are the best practices in such a scenario?
Thanks for any info you can provide.
Having built authentication databases for a few different OAuth-enabled web sites, I can say that I've learned a few things that you should keep in mind.
You should have a table of users for your site that is completely independent of which OAuth provider they used for sign-up/sign-in. This enables your site users to combine multiple accounts together under their primary identity on your site. (For example, associate both Facebook and Twitter with you.)
When you let a user sign up, you should get an email address from them. Whether you ask Facebook for it, or if you have to ask directly. This enables you to "upgrade" users later from depending purely on third party OAuth to setting their own password on your site. (You simply send them a link to your password reset page in order to get them started creating their first password.)
You don't want to use email address as your primary key. I'm not sure if that's what you're actually describing or not, but you really want them to have a local user ID that you use for maintaining their session, etc. You then associate their Facebook ID or their Twitter ID with that local ID, and use the correspondence between such identifiers to match up which of your site's users to consider logged in.