I'm looking for a good way for my application to know if the person needs to login (again) or not.
So meaning, if a person first uses the app, he needs to login. These login credentials are being verified by a webservice I've build. And after he is succesfully signed in, the next time he uses the application he doens't need to login again.
I've been looking around, but haven't found a clear solution.
I have read a few possibilities to handles this:
Storing this in a local database
Using the 'Settings plugin' from James Montemagno
Using local storage
Using KeyChain (IOS), KeyStore (Android)
It is not my entention to store the login credentials, only to remember if he has signed in previously or not.
Thanks you
You can use the 'Settings plugin' from James Montemagno to store a Boolean value ( LoggedIn = true or false).
But you might want to add a but more logic to your app. If someone is logged in, they should have a token that they'll use to communicate with your server...this token should have an expiry date and you should also have a refresh token.
Related
In the documents of Google One-Tap sign in, it says:
Returning users are signed in automatically, even when they switch devices or platforms, or after their session expires.
Question 1:
But it doesn't say anywhere how it does this? Is the user refresh token saved in the browser's cache? How can it then auto log in a user cross devices?
Question 2: The reason I ask is because I have a setup where I initialize the Google API client for JavaScript ("GAPI"). The GAPI library also automatically logs in a user whenever the client is "initialised" through gapi.client.init().
Now the problem is that after I have added the Google One-Tap code (Or should I say "YOLO code"? : ) my user gets logged in through One-Tap and also through GAPI. I can prevent this by not initializing the GAPI client, but I don't think that's wise, because I thought this whole library is built to manage my refresh tokens etc. Is my understanding correct that One-Tap does exactly the same and in case I only want to Authenticate users I do not need the GAPI client anymore?
Really, which library does a better job at managing my refresh tokens? And how do they differ? I'm clueless...
The way I implemented my login is the following:
Try to login in the user first using gapi.auth2. Maybe the user was previously signed into the site.
If can't login user automatically, then use googleyolo to try to find existing user accounts.
If no existing accounts, then present a signin button for user to signin.
I can give you some code snippet if you need.
To answer your questions.
#1, the credential is stored within the browser/device. If the user has never signed into google in a device, then yolo won't be able to sign in the user.
#2. googleyolo will also login the user, the difference is that it will give the account selector even if there's only one user to select (it will automatically login the user if there's only one). gapi simply sign in the user without showing anything.
Without changing my code or configuration, now google is asking users to grant permission every time when a user is trying to authenticate to my App. Even though the user already grated access and the scope didn't change.
I don't get any errors and the login works fine is just that now the google dialog asking for permissions appears every time.
To initialise google I use gapi.auth2.init with the "https://www.googleapis.com/auth/plus.profile.emails.read" as scope.
Also to request for access I use auth2.grantOfflineAccess.
I also checked in my Google account for Apps that have access and the application is registered successfully in there.
Anyone else has seen this issue? Or does know if google changed something in the way they handle permissions?
I believe I am seeing similar behavior... that the authentication flow has begun asking the user to grant the app permissions to the scopes every time they sign in. Previously, it would only proceed from sign-in to grant permissions the first time the user signed into the app. I haven't changed the scopes requested nor the underlying code recently... but also hadn't used the app in awhile (months?)
I'm using the oAuth2 server-side authentication and grantOfflineAccess() outlined here .
Given that there are no implementation details posted, i can't tell if the fix I found will apply to your situation.
The correction I found... so that the authentication only asks the user to grant the first time they sign into the app was to explicitly specify the "prompt" attribute when calling getOfflineAccess().
var auth2 = gapi.auth2.getAuthInstance();
auth2.grantOfflineAccess({
prompt : 'select_account'
}
).then(signInCallback);
https://developers.google.com/identity/protocols/OAuth2WebServer#offline
Check Step 1 prompt parameter
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.
I am using Google Admin SDK Directory API to create users and using Service account I am able to perform CRUD operations on them.
I have a requirement whereby I have to check the credentials of users created using SDK.
When you fetch the users the password is not returned, hence comparison cannot be done.
I'll really appreciate if someone lets me know what would be effective way of approaching the checkCredentials function.
Thanks.
Google does not ever return the value of the password. That would be a monumental security risk.
See their documentation in regards to the user resource used in the directory API. It specifically states that the password field is never returned. It can only be used for setting the password.
If your requirement is too check creds on a newly created user, you should look into trying to login as the user with the password you just sent, using the google auth Apis
At the moment, the only solution I've found is to simulate the user login flow with a fake browser (Apache's httpcomponents-client for Java for example) pointing to Google Account ServiceLogin.
I am newbie developer in mac development. What I need to do is create an authentication dialog when the user clicks the Print button in any application.
I need to store the username and password for 1 hour (to avoid authentication all the time) but this should be deleted when the user logs out from the machine.
What I am thinking is to use NSUserDefaults to store the data, and create a logout hook to delete this data. Is this the proper way of doing this?
Use Authorization Services. It sounds like your app fits the "Simple, Self-Restricted Application" model described in the guide.
When you create your authorization right, use the timeout attribute to set the length of time that the user's credentials will be cached.