I am currently working on a small project.
I use flutter for the frontend and springboot for the backend.
I want the springboot application to run locally on a raspberry pi.
Now I am wondering, if it is possible to implement a firebase (email/password) like authentication/authorization in springboot (without using firebase or any other cloud-based solutin) where you don't have to login every time you open the app.
Or you could compare it to facebook, instagram, snapchat, ... in all of these apps you stay logged in the whole time.
What possible ways are there to implement this in springboot?
I mean I could store the login credentials on the phone but I guess that wouldn't be secure or the correct way, right?
As you are approaching, there are several ways you can authenticate your end user in the mobile application.
Using email password
Using phone number verification
Using third party authentication provider ( facebook, gmail etc)
Without knowing your target end users, its hard to determine appropriate authentication mechanism.
By far as you are developing a flutter application and targeting mobile users, i assume your end users has some sim card installed in their mobile device and using the phone number and otp based solution seems frictionless for your end user.
You can use firebase admin sdk, prompt the user to type in their phone number and send otp to that phone number, then ask the end user for the correct otp. Send back the otp to firebase, firebase will give you a idToken (a token in firebase realm). Pass that idToken to the server ( spring boot rest service) and verify it from firebase. firebase will reply with user details ( basically the phone number)
Whole process involves setting up a firebase project, installing admin sdk and some tweaking in both mobile application and spring boot end.
For more info start here https://firebase.google.com/docs/admin/setup
Related
I set up a Spring Boot project using https://start.spring.io including Spring Security and Vaadin. Then I set the Vaadin version to 22.0.4 and followed this tutorial to set up a login page using Vaadin Flow and Spring Security: https://vaadin.com/docs/v22/flow/tutorial/login-and-authentication
This works perfectly and checks login attempts against an InMemoryUserDetailsManager having a dummy user. As you can see in the tutorial, this is configured in the WebSecurity class, which extends VaadinWebSecurityConfigurerAdapter.
Now, I want to authenticate against Firebase users with email address and password instead. Therefore, I set up a Firebase project and added a user. I first thought, that the login can be done using the Firebase Admin SDK, but now I think this is not possible.
How can I authenticate Firebase users with email address and password in my Spring Boot application using Vaadin Flow as a frontend framework?
Firebase has two types of SDKs:
Its regular SDKs are designed to be used in client-side, untrusted environments, such as web front-ends, Android apps, or iOS apps.
Its Admin SDKs are designed to be used in (typically server-side), trusted environments, such as your development machine, a server that you control, or Cloud Functions/Cloud Run.
Only the regular, client-side SDKs have methods to sign the user in. For the Admin SDKs this is not needed, since they already run in a trusted environment and this establish their credentials in some other way (typically through a credentials file that you download from the Firebase/Cloud console).
So there's no way to sign in to Firebase on your server-side code. This also would not make a lot of sense, because a lot of users will likely be accessing the server at once, so who is the current user?
Instead, in Firebase you typically sign the use in client-side through one of the regular SDKs, and then (if needed) you pass the ID token to the server, where your code (through an Admin SDK if available) can decode that ID token and determine what user is making the request.
You can mint your own ID token in the Admin SDK, but the flow remains the same there and you typically use this to implement a custom sign-in provider.
I am trying to use spring social for my REST services and my mobile app.
I wonder what the best approach is.
I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.
My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.
On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.
As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/
Seems like it required the "Proof Key for Code Exchange" flow as stated in:
https://auth0.com/docs/api-auth/grant/authorization-code-pkce
Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.
Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!
One possible way would be
The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
The backend service could do additional work about the user details (for example, link with existing users).
The backend service returns a JWT token to the mobile app, which ends the SSO.
The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).
The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.
The flow is summarized in the following drawing:
========
Edited:
We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.
Discussion is welcomed.
I am developing a family of utility apps where each app could be available on desktop, mobile and the web. After some research I decided to go with pouchdb on the client and couchdb on the server to provide offline sync.
A user would be able to create an account on the web (A Laravel Spark app) to manage their app subscriptions/payments and also access the web versions of the apps. On mobile and desktop the user would sign into each app using their credentials to unlock functionality.
I am planning on taking a database per user approach in couchdb with filtered replication (based on the app the files belong to). The basic requirement is for the user can sign in once in the apps and then securely replicate to couchdb forevermore (until sign out).
What would be the best approach to take for authentication with couchdb given the use case outlined below?
Proxy all requests via Laravel for authentication
On account creation in the Laravel app create a couchdb user with a randomly generated password and when the user signs in on the app return this password authenticate future requests (are there limits on the number of users created)?
Use the Laravel app as an oauth server and make requests to couchdb direct using an oauth token.
Something else?
In the end I found the best approach to proxy all requests to CouchDB through Laravel, utilising the Passport package for API authentication.
To do this I hooked into the Spark::createUsersWith() function in the SparkServiceProvider to set up a CouchDB database on user registration via the following steps:
Generate a couchdb specific username and save it in the user record.
Create a couchdb database with the same name as that generated in step 1.
Add a design document to the database with a filter for app specific syncing.
Add a security document to only allow read/writes from the database owner (created in subsequent step).
Create a CouchDB user with the username generated in step 1.
The user can then log into the app using their username and password to receive an OAuth2 password grant token.
All syncing requests are then made with the auth token to my sync proxy controller detailed in this gist.
To save a search PouchDB can be set up to send the OAuth token automatically as follows:
this._remoteDB = new PouchDB(url, {
ajax : {
headers : {
"Authorization" : "Bearer " + localStorage.getItem("token")
}
}
});
We publish an app that use OAuth 2.0 API access on Google Apps Marketplace. It got reviewed by Google and they said our app is invalid because it shows permission screen when a user first runs the app. (The app will be removed from the Google Apps Marketplace if our app is not fixed within 30 days) To solve this issue, we have some problems.
Our app uses OpenID Connect to make users login.
Our app also uses Spreadsheet API and Calendar Resource API (OAuth 2.0 Web Application Flow)
So our questions related above is the followings:
1.
Although our app uses OpenID Connect for login, using OpenID Connect forces our app to show the permission screen. Doesn't it meet the best practice below of Google Apps Marketplace?
https://developers.google.com/apps-marketplace/practices#5_use_one-click_single_sign-on
We followed the OpenID Connect document provided by Google:
https://developers.google.com/accounts/docs/OAuth2Login
2.
Since Spreadsheet API and Calendar Resource API don't currently support the authentication method using Service Account with OAuth 2.0, we chose to use the method of Web Application Flow. Our app get the token when users login, but Google said to us that it fails to meet their SSO requirements. To solve the issue, we are thinking to change our app to authorize AFTER login within the app instead (use Web Application Flow method as it is). Does the way meet the SSO requirements? In other words, is it OK to show permission screen if after login?
We will applicate if anyone can tell us good solution to solve these problems.
Thanks,
If you register your scopes in the Google Apps Marketplace configuration screen, and then only request those scopes in the OpenID Connect flow, then the permissions screen should be automatically skipped. Please ensure the scopes match between these two locations.
I'm building mobile applications using .NET. What I'm looking for is a way to manage user sessions and info using Azure Mobile Services. I've read a lot about the authentication in Azure Mobile Services, but this only authenticates a user via Facebook, Twitter, etc ... to access azure services.
I'm looking for user session management, i.e. register, login, logout. Be able to save and retrieve user info, i.e., save certain info against the user such as age for example. Also session management and caching, i.e. the user will remain logged on when the app is closed and re-opened. Also azure mobile services doesn't seem to provide a way to allow me to register users via email.
Basically, If anyone is familiar with Parse, I'm looking for having similar functionality in Azure. Can anyone help please ?
Thanks
Out of the box, Mobile Services provides easy authentication with social providers (Facebook, Twitter, etc) and Azure Active Directory. If you want to do registration via email, you'll have to create a custom auth system. This is going to be more complex than just flipping a switch and using Facebook auth, but totally doable and I can point you in the right direction. First, check out this post that will explain how you can create a registration / login system using custom API and the script backend. If you're using a .NET backend, you'll need to alter thing a bit (the samples are in JS) but it should be pretty easy to convert. The only piece that is really missing from that post is how to do email verification. To do this with Mobile Services, I would suggest the following.
Sign up for a SendGrid account (free in the Azure store)
From your script, after registering the user, generate a random alphanumeric string that is saved to their account / user record in the table.
Use the same string to create a URL which you can send to the user's email address (check out this tutorial for sending email via SendGrid and Mobile Services).
The link can either go to a different custom API or a web front end. When that endpoint is hit, it should update the user record to show that they have verified their email address.