Using ACS with Windows Phone - windows-phone-7

I'm lost. I'm developing a Windows Phone 7 app and I want to do the following:
I want to use Facebook, Live ID, Google and Yahoo to let user sign in my app. And also, it they don't have any of those account I will need to implement a sign up interface on Windows Azure.
I also need to store some ID from user signed in my app. For example, Facebook returns an ID for that user. But Google, Live ID and Yahoo! returns another ID. I will store this on a user table with these columns:
ID | Sing-IN-Type | ID-returned
ID: Primarty Key.
Sing-IN-Type: Foreign key to a table with Facebook, Google, etc. names.
ID-returned: ID returned by those webs.
I've read about ACS v2 and I'm not sure it will fit with my requisites. What do you think?

The ACS team has posted a sample that demonstrates how to implement federated auth in a phone app using the silverlight browser control:
http://acs.codeplex.com/wikipage?title=ACS%20Windows%20Phone%20Sample&referringTitle=Samples
The sample doesn't parse the token to extract the claims you're after, but it wouldn't take much code to do it.
After logging in, the application caches the token returned from ACS in a RequestSecurityTresponseStore, which is a member of the MainPage. There are Simple Web Token (SWT) handlers included in the DPE.OAuth project that you can make use of. In the context of MainPage.xaml.cs, the code would look like this:
SimpleWebToken swt = (SimpleWebToken)SimpleWebTokenHandler.GetTokenFromString( _rstrStore.SecurityToken );
You should then find the IdentityProvider (sign in type) and NameIdentifier (user ID) claims that ACS issued inside the swt.Parameters.
If you want to host your own custom sign in page in this scenario, ACS provides functionality for that as well:
http://msdn.microsoft.com/en-us/library/gg185963.aspx

You could also look at the hands on labs from the identity framework.

Related

Google javascript api client, automatically login to same account without popup

Is there a way to automatically authenticate the google javascript api client, without user interaction?
Something like this:
User loads webpage -> webpage automatically signs in into a predefined user account -> api calls get executed
Basically i want to prevent the popup where you have to select an account and sign in to it. As the account which will be signed in is always the same.
EDIT:
pinoyyid answer looks promising and is what im looking for. But this only works if the user has signed in with an account at least once, if im not mistaken.
Now i dont want to use an account supplied by the user, but a predefined account which i am the owner of and sign this account in.
Im not entirely sure if this is even possible, as i have to provide the password/some authentication code to google and somehow do this in a secure way.
Use Case: The website will create a Youtube Broadcast via the Youtube Data/Livestream API for the specified account.
Yes you can do that. Referring to https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow
there are three pieces of information that will get you where you want to be:-
The OAuth URL can include a login_hint which is the email of your intended user
The OAuth URL can also include prompt=none which will do its work silently
This all needs to run in an iframe because this is based on origins and redirects.
==EDIT==
If the requirement is for a browser client to connect to a Google Account other than that of the browser user, then this is not possible. It's kinda obvious really that to do so would require a credential in the browser which by definition is not a secure environment.
The approach I would take would be to use a service such as Lambda or Google Cloud Functions (or whatever marketing name they have this week) to create a proxy for the corresponding Google API using a credential stored server-side.

Can't read phone numbers from user's google profile using - auth/user.phonenumbers.read scope

Based on the documentation of Google People API I am using profile scope - https://www.googleapis.com/auth/user.phonenumbers.read and PersonFields=phoneNumbers to read the authenticated user's phone numbers only in their Google profile (none from the contact list). I am using API key and oAuth accesstoken to authorise the request. The google people API is not fetching the phone numbers associated with the profile with the above scope alone. Adding the scope for the entire contact list read access in addition to the above scope, which is www.googleapis.com/auth/contacts.readonly returns the phone numbers from the profile correctly. Is there any way to get user's phone numbers from his/her profile using only the user.phonenumbers.read scope?
I could figure out the problem. For 'user.phonenumbers.read' scope the documentation of people API states - 'your app be given read access to the authenticated user's phone numbers in their Google profile'.
But by 'Google profile' it indicates the Google Plus Profile which is completely different form their core google profile - My Account. People API is fetching information only from the Google Plus Profile.
So even if a user has his/her contact details added in My Account, the People API will not fetch their phone numbers unless they have added them manually in their Google Plus Profile. After adding the contact details I could fetch contact details with 'auth/user.phonenumbers.read' without the need of adding 'auth/contacts.readonly' scope.

Will the Azure AD v2.0 endpoint pass the same nameidentifier through as Access Control Services for the same Microsoft Account?

We are currently using Azure Access Control Services (***.accesscontrol.windows.net) to allow customers with personally-managed Microsoft Accounts (Identity Provider) to sign in to our customer self-service portals (Relying Party Applications), which are Angular apps powered by Web API services. In our Access Control Services we are currently passing through the nameidentifier http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier claim from Windows Live ID to the relying party APIs, which match that token to an identity in our applications.
We are looking to support both Enterprise and Personal Microsoft Accounts with the Azure AD v2.0 service, but do not understand how to migrate our existing users to the new system. The code examples suggest that the OWIN middleware returns the NameIdentifier claim from the user's Identity Provider, but if that Identity Provider is the same Microsoft Account (aka Windows Live ID), will that be the same NameIdentifier we are currently receiving via Access Control Services pass-through?
Any help and/or documentation that clarifies how this transition is intended to work would be appreciated.
If the nameidentifier coming out of ACS is the randomly generated value then you're kind of stuck because that value is unique to the ACS/RP/User. If it's returning the actual Live ID then it'll obviously only match if the Azure AD user has the same email address.
I don't know if any documentation out there that describes how to handle this situation. My recommendation is to just require a one-time authentication from each source within the same session and marry the two results. That would basically mean
authenticate to Azure AD
Your app: Hey you don't have any user details, do you want to associate a Live ID?
Authenticate Live ID
Associate Live ID with Azure AD
Then if they want to sign in with either accounts in the future you have a link between the two.

How to manage a user session using Azure Mobile Services?

I'm building mobile applications using .NET. What I'm looking for is a way to manage user sessions and info using Azure Mobile Services. I've read a lot about the authentication in Azure Mobile Services, but this only authenticates a user via Facebook, Twitter, etc ... to access azure services.
I'm looking for user session management, i.e. register, login, logout. Be able to save and retrieve user info, i.e., save certain info against the user such as age for example. Also session management and caching, i.e. the user will remain logged on when the app is closed and re-opened. Also azure mobile services doesn't seem to provide a way to allow me to register users via email.
Basically, If anyone is familiar with Parse, I'm looking for having similar functionality in Azure. Can anyone help please ?
Thanks
Out of the box, Mobile Services provides easy authentication with social providers (Facebook, Twitter, etc) and Azure Active Directory. If you want to do registration via email, you'll have to create a custom auth system. This is going to be more complex than just flipping a switch and using Facebook auth, but totally doable and I can point you in the right direction. First, check out this post that will explain how you can create a registration / login system using custom API and the script backend. If you're using a .NET backend, you'll need to alter thing a bit (the samples are in JS) but it should be pretty easy to convert. The only piece that is really missing from that post is how to do email verification. To do this with Mobile Services, I would suggest the following.
Sign up for a SendGrid account (free in the Azure store)
From your script, after registering the user, generate a random alphanumeric string that is saved to their account / user record in the table.
Use the same string to create a URL which you can send to the user's email address (check out this tutorial for sending email via SendGrid and Mobile Services).
The link can either go to a different custom API or a web front end. When that endpoint is hit, it should update the user record to show that they have verified their email address.

APP Inventor get current user functionality

I know on the Google App engine there is support for Google Accounts via user = users.get_current_user() functionality. I have used this and then I request the user to create account on my app. Is there anyway for the phone app to gain assess to the the user = users.get_current_user() functionality?
I have seen the example of creating a register / login on AI and storing it on TinyDB but the Google UserID is already available on the app engine. How do I access this functionality on the phone app?
with OAuth you can ask the user for permission to view his email address and read that information from his Google profile, see an example how to do that with App Inventor here http://puravidaapps.com/taifunOA.php
No, this feature does not exist. It has been proposed and can be voted for here.

Resources