I'm new to Yodlee, and it seems to me from their guidelines, that you need to sign in with the consumer's credentials every time I want to request their transactions. I wanted to know if there is an OAuth way of doing this, or any other way, without having to store the consumer's creds in my database? I don't want my users to have to log in every single time or whenever the session is timed-out.
Is this what Yodlee calls FastLink? If possible, please provide a sample code (Java). Thank you.
In short- No, it is not mandatory for you to store user's bank credentials in your data base.
Detailed:
For your better understanding I am explaining the steps involved in detail for user login and credentials storing.
There are 3 steps involved.
Step 1: User come to your Application and your application validate it for e.g., they might register on day 1 and on day 2 they'll come to your application and login. You should be storing their login information to validate them. You can use this same credentials of user to register and login to Yodlee system.
Step 2: Yodlee requires bank name and its credentials of that particular user for aggregation, you can store these credentials at your end(Database) or need not to store(instead directly pass it on to Yodlee) and Yodlee will store it into their database for further processing i.e., refreshing and getting latest data and transactions details after login in on behalf of user. You can invoke Yodlee Fastlink wizard and allow user to search the particular Bank site and add an account. This will speed up the process of integration with Yodlee and also in this case user is entering his/her credentials directly to Yodlee.
Step 3: Yodlee will refresh the account for that particular user using the bank credentials saved in the Yodlee system and you can retrieve the data from Yodlee database using the user login credentials with which user has registered to your application(not bank credentials).
User has to login and refresh the sites which asks for MFA(Multi-Factor Authentication), coz it requires their interaction.
Here you'll find the details for Fastlink integration.
Related
I’m creating application that uses Firebase. I want to allow users to register in application optionally, so user can use my application for year for example and never register.
If user wants he may register (and we will link anonymous login to new account), but that must be an option not required feature.
Now I can use FIRAuth.auth()?.signInAnonymouslyWithCompletion(), all working is okay except if session will expire and app will be closed. I can’t sign in again with that UID, so all user’s data is lost.
How can I signIn with same UID or make that anonymous authentication (users hate that requires registration on each application)?
P.S. You may say that I need custom authentication, but as I read for that I need custom authentication server, I have only app and Firebase server.
#Frank van Puffelen posted correct answer:
The session for your anonymous user should not expire as far as I
know. The access token will expire, but will auto-refresh.
I have a website where users can create an account and log in. This is stored in a database on the server. I also want users to be able to log in with Facebook etc, and thus skip the account creation. I don't know how to combine this and keep it persistent in the database. Any good examples on this use case?
Let's first see how logins work in general. When a user is logging in for the first time, a session id is generated for the user and is stored in the browser of the user as a cookie (note that there are mechanisms to store session id without a cookie, but let's assume you require a cookie for simplicity).
For subsequent requests to other pages in the same website, the cookie is also sent along. With this cookie (which has the session id), the unique user can be identified.
So, all that you require to know to identify a user in the server side (upon a web request) is the session id.
Having said that, if you want to include facebook etc into the login mechanisms, you need to do two things:
Connect your website with facebook (you will require a facebook developer account and some keys. Look here). When you do this successfully, if the user selects facebook login, your website should redirect to facebook login page and once the user logs in into facebook account, facebook will redirect back to your website with a token. This token is an indication that the user is a 'real' user. If required, you can use the token to get more details (such as facebook id, email address, name, etc.) from APIs facebook.
The second step is the same for any authentication flow. You need to generate a session id for use by your server and then save the session id in cookie.
What I have specified is the general flow on how your requirement could be achieved. The mechanics of how to do this will depend on the server side technology that you are adopting (such as ASP.NET, Ruby, etc.)
Additionally, if your website requires storing information about the user behavior / user activity, you may need to additionally check if the user logged in via FB already exists in your database. If not present, you can store the user's facebook id or something to uniquely identify the user later. With this as the primary key / user id, you can store user activity (such as inserting a record in orders table if the user purchases a product).
I've been looking into OAuth for a while, but haven't implemented it in any of my applications yet. I'm having trouble really understanding the full concept, so I still have a few questions that I haven't found an answer to, so I hope that anyone can help me.
I want a user to be able to start my application (WP8), login to facebook / twitter / microsoft / ... .
When he gets authenticated, I want to actually save this user to my own DB so I can add some user specific stuff like preferences, posts, ... .
What do I need to save in my own DB to specify a user?
Do I need to save the token itself or is this something that will be invalidated after a while? Or do I need to specify the user's name? With other words: What can I use as a unique identifier?
And what happens when a user would authenticate with for example facebook and he deletes his account?
And one more question, would you ever allow a user to connect to an application with 2 different service providers? If so, how would you make the coupling of these 2 providers to 1 user in your own DB?
I hope my questions are clear enough!
If not, don't hesitate to ask for more information!
Kind regards,
Gert
I assume that you have your own back-end where you authenticate your own users and your WP8 application is just a client.
First, let me distinguish between a user credential and a user profile. User credential is something that validates who the user is, e.g. username/password, facebook user id supplied with a valid auth token. User profile, is what you store in your own database about the user.
You also need to distinguish between a token you use to authenticate the user and the AccessToken Facebook needs to grant you access to user's data.
So... to answer your questions:
What do I need to save in my own DB to specify a user?
Create a record with user data (like preferences, and your unique user ID), and user's login method (e.g. Facebook) and credential (e.g. Facebook's user ID). This is your user's profile.
Do I need to save the token itself or is this something that will be invalidated after a while?
You can also store the Facebook AccessToken here if you've been granted "offline access" privileges by Facebook, but that is used for Facebook's access by you... not by the user's access to your app/back-end. For user's access you could just use a mechanism similar to cookie-based authentication - it's up to you. You could use the AccessToken as a kind of a "cookie", but you would need to always check against Facebook that it's valid.
With other words: What can I use as a unique identifier?
You could treat Facebook's ID as unique (so long as you never allow another account in your user profile DB to link with the same Facebook account)
And what happens when a user would authenticate with for example facebook and he deletes his account?
It's a good idea to have users still create a username/password combination that works with you site and only rely on Facebook login for convenience. In any case, Facebook provides a "Deauthorize Callback URL" when you create an app profile on Facebook. This is called when a user deactivates your app or deletes an account with Facebook. When you receive this call, you could send your user an email when an auth link to setup a different credential so as to not lose access.
would you ever allow a user to connect to an application with 2 different service providers? If so, how would you make the coupling of these 2 providers to 1 user in your own DB?
Sure, you could do that. Say you'd want to allow a Twitter account as well. You'd need to add a Twitter user ID field to your user profile database.
Here's another tip: create an ASP.NET MVC4 project in Visual Studio - the template includes an example of how to set up a user profile database with OAuth login.
Hope it gives you the high-level overview to investigate further.
I am using tweepy api for oauth: http://packages.python.org/tweepy/html/auth_tutorial.html#oauth-authentication
The first time, user is ask to authorize my app. But from the second time, I dont want the user to be asked to authorize my app again.
The tutorial says
It is a good idea to save the access token for later use. You do not need to re-fetch it each time. Twitter currently does not expire the tokens, so the only time it would ever go invalid is if the user revokes our application access. To store the access token depends on your application. Basically you need to store 2 string values: key and secret:
auth.access_token.key
auth.access_token.secret
I plan to store access_token key and secret to a session. When user use my app the second time, I will just use the access_token, so user will not be forced to authorize my app again.
However, THE PROBLEM IS that what happen when many twitter users use my app, how can I know which access_token belong to which user.
I hope my question is clear.
Stop twitter to force user to authorize my app from second time.
if I need to store access_token to solve (1), how can I know which access_token belong to which user.
You need to implement session management in your web app and associate session IDs with your user model which stores the auth information. You don't say what language you are using but if you use the Ruby on Rails framework then session management is easily done. I recommend the Devise gem with omniauth-twitter (https://github.com/arunagw/omniauth-twitter).
as I started to work with Twitterizer in order to publish on someone's wall I am in confusing time.
There is a page, my case, DefaultTwitter.aspx where is link to authenticate on twitter with token provided. Goes on Twitter and comes back to CallbackTwitter.aspx with outh_token and secret. And so the user is identified. On twitterizer example says:
Step 5 - Store the results
You should now store the access token and the user details. Keep in mind that the
only way an access token will become invalid is if the user revokes access by logging
into Twitter. Otherwise, those values will grant you access to that user's data
forever.
My questions are: - should I store any data in SQL datatable and what exactly(however I hope that is not the case to do so)
somebody said that I should save in a cookie(I thought in session); however then if another user comes then how should I create a button to logout or something like that?
-how will user revoke application access if he would like so?
A live example will be much appreciated as I could not found any on internet how exactly twitter api works.
When your application finishes getting authorization to access the user's data, the result is the access token (represented by 2 values, a key and a secret). Those values are, in effect, the username/password you can use in requests to the API on behalf of that user.* Save those values in your SQL database. You'll also be given the user id and screen name. It's probably a good idea to keep those handy, too.
The user can revoke access to an application by going to http://twitter.com/settings/applications, finding the application and clicking the revoke access button next to it. Your application cannot revoke access for the user.
You asked for an example, but you're citing the example application. Just look at the source code in that sample.
* - That's a simplification for explanation sake. Please don't crucify me, OAuth experts.