Authentication of Rails user for Android app - ruby-on-rails

I'm working on a school project. We are going to make a bug/rodent themed tower defense game. The game will primarily be an Android app. There will also be (at least we want there to be) a Ruby on Rails website/application tied together with it.
One of the requirements for the project is to implement three levels of user that will interact with the project. We decided that the three types of users will be administrators, guest players, and players with accounts. Players with accounts will be able to accumulate perks. Guest players will be able to play, but won't have any capacity to earn perks over time. The administrators will be able to manage the users with accounts (delete, edit, et cetera) via a web browser and the Rails application.
I want the users with accounts to be able to login to the Rails application via the Android app. There will be parts of the game that only users with accounts will be able to access. How can we create a login/logout scheme for the Android app? I'm thinking it will be something like the user enters their username/password, taps login, and then the Android app will send a request to the Rails side. Once the user is logged in via the Android app, they can access certain parts of the Android app that guest users cannot.
How would I go about this? I'm not sure where to start.
Would the Android app, using Java, send http requests to the Rails application (sending the username and password)? Then would the Rails application send back some sort of success? How would the Android app hold onto this successful login like a session in a web browser? Also, the Android app will need to update user attributes in the Rails database (something like accumulated perks).
Is this possible?
I've seen miscellaneous information about how to do this scattered online in blogs, on stackoverflow, and on discussion boards. But, I haven't found a coherent solution for my group's needs.
Thanks.

You can use your rails apps as an oauth provider (https://github.com/pelle/oauth-plugin) and use an oauth client library on the mobile application

Related

Multiple Facebook Apps backed by same Spring Boot application

So I was following the below (classic) tutorial for spring boot with facebook:
https://spring.io/guides/tutorials/spring-boot-oauth2/
Everything is working fine, however I can't find documentation to help me implement my specific use case. So here it goes:
I'll have two facebook apps: one for the owner and another for the regular user
These two facebook apps will ask for different permissions (ex: for owner app it'll ask for permission to post in the fanpage and for the regular user it'll only for basic user info)
There will be two real application being one mobile (iOS and Android) and another browser based application (that's not really relevant)
REST API will be secured based on roles, meaning that the owner will have the OWNER role and the regular user will have the REGULAR_USER role, so that, for example, the regular user won't be able to call the API to post on the fanpage
Both applications will make it possible to login with or without facebook, because I need an users table to store more information and so
Eventually regular user can login as owner if he/she downloads the **owner* app
So, to summarize, I need:
Two facebook apps to be backed by same spring boot application
The ability to authorize an user with APP ID X and assign OWNER role and the ability to authorize an user with APP ID Y and assign role REGULAR_USER
To be able to configure (in the YML) two different facebook apps
The user to be able to merge existing account with facebook if he authorizes later on
I guess that's it. I'll edit later if I find more useful information to provide.
Thanks!
There is Dave Syer's project that shows how to set up an Authorization Server and multiple Resource Servers in the same app.
Similar question with solution: OAuth2 SSO for multiple resource servers with spring boot and jHipster

Rails Api Authentication vs User Authentication

I am using rails 4 and developing my first API. The API will be used solely for our android and ios apps to communicate with the rails app / database.
I am struggling to see the difference between API authentication and user authentication when it comes to an API. It seems people use these terms interchangeably.
I want my api to be secure, meaning only the apps can submit http requests, but I also want users to be able to log in. And when I say users, I mean app users... not outside clients who are accessing our api (we don't want this at all).
Would love if someone could clear this up for me. I may just not be thinking about it in the right way, therefore confusing myself.
So to break it down, these are the two things I need to be able to do:
secure the api of course... making it so only the mobile apps can access it
users are able to log in and access their profile, resources that belongs_to to them, etc. When users aren't logged in, they still need to be able to see the index and other pages that don't require a logged in user.
thx!
Have you heard of JWT? It's a good option to hadle users with the app and rails api separated.
Gem for jwt in rails: https://github.com/nsarno/knock

Rails app as backend for multiple apps

We're developing a Rails app that will serve as a backend for multiple apps. The Rails app will have a web CMS that will let admin users to manage their mobile apps (one admin user can have 1..N mobile apps).
The same Rails app will also serve as an API for those mobile apps. The mobile apps are completely separated one from each others, not sharing any data among them. We have users with different roles (global_admin which manages his app in the CMS, place_manager which manages his place in the app within the CMS, and users of the mobile app). These users are not shared between apps (if a user signs up in a mobile app, he will be able to log in only in that app; so if he wants to log in another mobile app he needs to register again).
Which is the best approach to achieve this? We are thinking about:
Option 1: we can have a single User model, with different roles on different apps (global_admin on app 1, user on app 2, manager on app 3...). If a user signs up for app 1, a record is created, and if he signs up for app 2, we only add a role to it, but he thinks that he created a new account.
Option 2: we can create a record for each user on each app (removing the uniqueness constraint on the email field)
Option X: ideas?
Thank you in advance
The API/API users scenario looks like a situation for multi-tenancy in which each app runs as a separate instance. You can look at something like Apartment for database level multitenancy, or Milia for app level multitenancy.
Database level is generally easier to manage, but you will need a workaround for the global admin requirement.
I suggest the following approach if you would like to use a single rails application for multiple mobile apps.
For users you can have different API returning different kinds of users, specific to the application requirement.
Use STI to differentiate users for each apps(in this way, you could have only a single table for users but different models)
These users are not shared between apps (if a user signs up in a
mobile app, he will be able to log in only in that app; so if he wants
to log in another mobile app he needs to register again).
In my opinion these are three different Rails apps. Obviously the apps have nothing in common, in particular no data is shared.
I think Option 1 would work well in your case. You can setup a has_many :through relationship between apps and users that will contain information regarding the user's role for that particular application (assuming only one role per user per application).
With this approach the workflow would be a bit different than what you describe though. If the user is not registered at all (i.e. no record with that email exists), they will need to signup (email + password) at which point you'll create the user record (with hashed password) and setup the association to the mobile application. If the user IS already registered, you don't want them entering a new password again, you'll simply want to setup the association. This can be handled via first_or_create. Hope this helps.

OpenID-Connect, Google+ iOS SDK, no browser

It seems this used to be possible, but not anymore. Here's my dilemma: I'm creating an iPad educational software app, and I want to let students log in with their Google Apps for Education accounts using OpenID-Connect.
... I guess my first question is: is the current Google+ SDK the right way to perform login against GAFE? What about the forthcoming "Google Classroom"?
So say I do this - the student pushes the "login with google button", the sdk performs an app switch to safari and lets the user log in to their google account, push the permissioning buttons, and app-switches back to my app, and the user is now logged in. Fine. At the end of the class period, the user logs out of my app and hands in their device. The next period, though, another student logs in, and because the first user has forgotten to also log out of google in safari, the second user has access to their account.
... My second question is: is this a valid concern? Seems like this would be a pretty common usage pattern.
... Third question - can I get around this? Can I make Google+ sdk use an internal UIWebView, or no web stuff at all? This is what seems like used to be possible, but no longer...
EDIT: Spoke to google tech support for apps-for-enterprise (thx M!) and they say that there is no way to authenticate against google openid-connect without going through a browser. This is, I believe, a security problem - students being kids, they will forget to log out of the browser, and the next kids will get into mischief. Oh well.
The GPPSignin class describes itself as:
It provides single sign-on via the Google+ app (if installed), Chrome
for iOS (if installed), or Mobile Safari.
Internal web views are not mentioned. You may need to implement OAuth2.0 on your own to allow your internal UIWebView to manage authorization.
Google publishes an API which includes a method to signOut. You can use it at your app's discretion in addition to the SDK requirement that a user be able to sign out manually.
https://developers.google.com/+/mobile/ios/api/interface_g_p_p_sign_in

How to oauth-login a server app via the mobile client (especially iOS, Twitter, but in general too)

We have a web application that supports Facebook and Twitter login/signup via oAuth (and can also post to FB/TW). Now we are building a mobile client and naturally we want people to be able to login-signup via FB-Twitter on mobile as well, on iOS even using system-integrated accounts.
Now mobile app and our server app are two different apps, however, and if I get oAuth correctly, we'll need to have two authentications: one for a mobile client (system account can be used), another one for a server (we'll have to show WebView for it).
Yet some existing apps seem to be fine with single authentication only (e.g. Flickr and Foursquare! At least 4sq seems to be fine with iOS system FB account only. How is it possible?
Do they share consumer key/secret between mobile and web app making it essentially the same app?
Do they use some FB-specific extension to oAuth
Do they only use auth token wherever it comes from making it a user ID?
Something completely different?
Old question, but this may help someone who finds their way here.
Twitter Reverse Auth

Resources