While developing an iOS and Android app for a backend API, I'm using separate client IDs for each. However, I noticed something that I find odd, and I'm hoping someone can explain why this works and if it's ok to work this way.
What I noticed is that if my backend API code supplies the Google Sign In client object with a client ID during instantiation, then it must match the client ID used by iOS or Android. (The client ID is called "audience" in the Google API code.) However, if my backend API code do NOT supply the Google Sign In client object with a client ID, then iOS/Android will always validate.
This is how it works whether you use php, java, nodejs, etc.
I expected not using a client ID to fail, same as using a mismatched client ID.
So, my questions: Is it valid to have the backend server validate ID tokens without specifying a client ID? Is there anything wrong or unsafe with doing it this way? What's the point of having the second part of the if statement that checks to make sure that client.audience (if set) match idtoken.audience, if you can just leave client.audience blank and it works anyway?
I wonder about this because related documentation, such as the Android docs, state this as part of the verification process when authenticating with a backend:
The value of aud in the ID token is equal to one of your app's client IDs. This check is necessary to prevent ID tokens issued to a malicious app being used to access data about the same user on your app's backend server.
If the point is to prevent malicious apps from doing bad things, why is valid to simply not use a client ID during verification?
Thanks in advance! I'm hoping someone can help me understand this. I haven't found a solid answer in Google's documentation.
Related
We are using BotFramework Composer to create bots. These bots are supposed to get information from a backend REST service, where we need to know, which user is submitting the request for data. We are currently using {turn.activity.from.id} to get the Teams user's id, and sending it in a special http header in the "Send an HTTP request" action. We then perform a mapping of this id to our internal users.
We are, of course, aware, that this is not secure at all, since anyone who knows this, could get the user's id and send it to our service. We are currently thinking along the lines of generating a short-lived jwt token in the Bot to send to our application. However, we see no direct way of implementing this token generation in the Bot Framework Composer itself.
Also, we don't want to use OAuth, because we don't want the user to have to log in via the bot.
Is there a way to implement custom token generation using C# or js and assigning it to a dialog variable to be used in a "Send an HTTP request" action?
This document discusses how to implement an HTTP request in Composer. The first half is focused on creating a login for OAuth, which I know is not your focus, so look at the second half. If you set up a simple server that can generate a token for you, then you can make a request to it from Composer using the method described.
As links can break and docs can change (and Composer is still in Preview), I would recommend saving the doc somewhere and checking back every so often for any updates.
I've used HTTP requests from within Composer, myself, so I know this will work for you.
Hope of help!
You can create a custom Action or a package component and create any c# methods there for JWT generation. This will keep it all local to the bot.
https://learn.microsoft.com/en-us/composer/how-to-create-custom-actions
I would like to discuss my situation and understanding.
We need callers to video call customers. For this, I've been using Tokbox video chat.
I have setup a server for authentication purpose. It creates singleton session and generate tokens as given in the example code.
This is what I have in my mind till now
If callers A and B want to call customers C1 and C2, I guess I need to create two different sessions and their separate tokens.
I need to store session id and tokens for A and B separately in database or session
I need to send the session id and token to client mobile app so that client can subscribe
I don't need code, but just want to know if I'm going in right direction.
If a similar type of example links are available, that would be great
Thanks
Yes, I believe you're correct.
You can think of sessions like rooms, anyone whom joins the session (or room) can see and talk to each other.
Tokens can be thought of as keys to the room. If you have a token to the session, or a key to the room, then you're able to gain access.
You'll need to generate these sessionIds and tokens on a server, and store them in some sort of database. When caller A calls customer C1 a new sessionId will be generated. Then you'll need to generate a token for A and C1. They can now talk to each other. It's up to you to ensure that only A and C1 have access to the sessionId and tokens (using some sort of authentication and authorisation system).
I know the answer is too late but may help someone. I think you need not to store anything in database, so in your case, you are calling from web to mobile. I have implemented the same for my project. So the approach I am following is that I am creating an opentok Session and sending it to Mobile app using FCM, and connect on both web and Mobile. Once connection is established, We can start the actual Video chat. Since we are using FCM, we have mobile device Id, so we are sure that we are sending it to User it is intended for ( thus doing authentication as well)
everyone. I'm recently learning OAuth authentication. I'm playing around with google's oauth api. In the tutorial for Google Sign-In for server-side apps, in the third step - Initialize the GoogleAuth object, you need to provide the client id to initialize the GoogleAuth object. I'm just wondering if we need to keep the client id secret because right now anyone can find out what the client id is by looking into the javascript.
You don't need to hide the client ID, provided that you restricted access to specific JavaScript origins and redirect URI's on the server side. See more details on this Quora thread or this IETF thread.
If one calls the insert method while passing an api key on the request, then passing in a url like http://mostmedia.com/recent-projects always returns the same shortened url.
But if you authenticate using OAUTH then you get a new unique id for every long url you pass in, even when they are the same.
You can see this behavior in the api explorer when you toggle on and off OAUTH authentication:
https://developers.google.com/url-shortener/v1/url/insert
I don't see this documented anywhere, so it's hard to know whether this is a feature or a bug, or how we can expect it to behave in the future.
Does anyone know the official google line on this?
This is the intended behavior, see the section titled "Creating links when you’re signed in vs. signed out" on this doc: https://support.google.com/faqs/answer/190768 coped below:
Creating links when you’re signed in vs. signed out
Signed in
Your links are automatically added to goo.gl where you can track their
use.
A unique short URL is created each time a long URL is shortened.
Signed out
Your links won’t show up on your goo.gl page.
The same short URL is
reused each time a long URL is shortened by you or someone else.
That doc refers to the consumer product, but the behavior applies to the API as well. OAuth authentication is the API equivalent of being signed-in.
The reason a new short URL is returned on each call is so you can utilise multiple short-urls for tracking purposes.
I am developing an API for a social network website. This API will basically get all the requests from the users (get friend list, post a status update etc) and reply back if necessary.
We will implement OAuth 2.0 protocol for authentication. Consumer (our php project) has API id and secret.
Basic scenario:
Client wants to log in
API Consumer (php web project) takes this request, directs user to API
User send his/her user credentials to the api, gets the token.
User comes back to our website, pass token to the consumer.
Consumer goes to the api server, gets the access token.
Now consumer (php project) has access to user's private information.
Since this is a social network website, we want app developers to be able to use our API in the future.
I am not experienced in API-design. Does that flow make sense? I guess the simplest authentication would be accessing user information through php project. But we don't want to access database in php code. We will use ajax in client side and send a request to the API. And I believe there should be a better solution, what would you suggest?
Sure, API design is basically point where you need to choose technology.
Either it can be PHP or .net or Java.
I would prefer either PHP or .Net as we get lot of flexibility in it.
API will return XML or Json depending upon the request.
There are lot of CMS in php which can be helped.
.net we have Service Stack to help you.
API's had to be fully independent from other world as well as within API method as well.
If you are able to achieve this, then you will surely create a good architecture.