I have bit of a confusion here, I am working on an android application, with PHP backend. I use other AWS libraries for most of the tasks but transactions and etc I kept for backend. I use retrofit for handling PHP api calls and responses. I am quite confused here, is there any way where I can determine cognito identity id of user making request to my web API using PHP? Using API gateway I will be able to restrict access only for logged in users, but determining their identity is receiver API is quite confusing for me.
Update :
I do not wish to use API gateway in any term. It's buggy most of time requests times out. Server provides better performance for current situation.
Any clue or help will be very appreciated.
Since you already have a user database, you will need to use "developer" identities in Cognito.
You need to create an "Identity Pool" in the "Federated Identites" section of Cognito.
From there you register a "Custom" authentication provider.. Basically it's a string that you will associate your users ID with...
Then you will use the CogintoIdentity->getOpenIdTokenForDeveloperIdentity() method to sign in your users in amazon.
You will be returned an IdentityID and an OpenID session token that you can send to STS to get temporary credentials to the AWS API... you can also use this new identity to create datasets associated to the Identity with CognitoSync
$cognitoIdentityClient->getOpenIdTokenForDeveloperIdentity([
'IdentityPoolId'=>'Your Pool ID',
'Logins'=>[
'your.custom.provider.string'=>'YOUR USER ID'
]
]);
EDIT:
After obtaining an IdentityId... In my mobile application, I use custom HTTP Headers to send over the IdentityId, and also the User ID and use "lookupDeveloperIdentity" method to validate the user on the server side.
$cognitoIdentityClient->lookuoDeveloperIdentity([
'IdentityPoolId'=>'Your Pool ID',
'DeveloperUserIdentifier'=>'{X_HTTP_USER_ID}',
'IdentityId'=>{X_HTTP_COGNITO_IDENTITY_ID}
]
]);
Related
I am trying to add a record (contact) to the ZOHO database using their API after submitting an order.
This requires an authorization token with a validity of 60 minutes which I can generate with a grant token, but which I can only generate with user interaction (GET). Is there a way to get a grant token without user interaction?
Maybe I'm just stupid, but why does adding a record to my ZOHO database require interaction from the user who orders my product.
Maybe I'm just stupid, but why does adding a record to my ZOHO database require interaction from the user who orders my product.
No, ZOHO requires a token from a third-party resource (your site, application, etc.). Since all records are stored and processed on ZOHO servers, access to it must be controlled.
ZOHOs give a SDK, what help refresh token automatically.
Maybe this and this help you
I'm Creating a custom User Management system, involves all the App data to be on application server, but the phone should be authenticated by firebase. When New User Register on System, Firebase Phone Authentication takes place. On successful authentication from firebase, Registration Data goes to Server via API. Now the Problem is, how do I check server side that the phone number is authenticated by firebase or not? If I allow registration without server-side firebase auth validation, API Request can be spoofed by someone. I'm currently using kreait/firebase-php ^4.18 Firebase SDK for PHP.
The Flow I'm Using Right Now is Demonstrated below and the flow I want to implement is also can be given as,
Update 25/09/2019
The library Kreait\Firebase helped to achieve to implement flow as given in answer by #jeromegamez in the accepted answer, However, the Kreait\Firebase does not support the idToken validation for ios device.
IOS device has google idToken rather having firebase IdToken and hence Kreait\Firebase failed to validate it. Brief issue is given in Firebase IOS idToken invalid kid Exception in the backend while verifyIdToken in Gmail Auth post.
The Firebase Rest API has the method for that.
On the device, after the user is authenticated and you have the User object, to get the token for verification, you can call
with Android - getIdToken()
with iOS
Swift - getIDToken()
Objective-C - -getIDTokenWithCompletion:
with JS (web or other platforms) - getIdToken()
with React Native - getIdToken()
and bunch of other platforms in the docs
Then, with that temporary id token, you can send a POST request to https://identitytoolkit.googleapis.com/v1/accounts:lookup?key=[API_KEY] (API_KEY being the "Web API Key" of the Firebase project) to get the user info, which will include the phoneNumber of the owner of the token.
Thus you can verify server-side that the owner of the token has that specific phone number.
When a user successfully authenticates with their phone number for the first time, the phone number is stored in the user's record in the Firebase Auth User list and can be considered verified.
Once a phone number is associated with a user in your Auth database, you can be sure that
the phone number is valid
the phone number has successfully been used to authenticate the user at the point in time the number has been associated with said user
the phone number cannot be associated to another user
You should not assume that this phone number is now "verified". As stated in the official Firebase documentation pages:
Security concerns
Authentication using only a phone number, while convenient, is less
secure than the other available methods, because possession of a phone
number can be easily transferred between users. Also, on devices with
multiple user profiles, any user that can receive SMS messages can
sign in to an account using the device's phone number.
If you use phone number based sign-in in your app, you should offer it
alongside more secure sign-in methods, and inform users of the
security tradeoffs of using phone number sign-in.
Source: https://firebase.google.com/docs/auth/web/phone-auth#security-concerns
PS: The only other way to add a phone number to a user is through an Admin SDK, and here it's your responsibility to ensure that the phone number belongs to a user.
PSS: As far as I know (and checked), the Firebase REST APIs don't expose a "verified phone number" information.
I am a beginner in php. I want to integrate Teamwork API on my web page. I have already checked how to call different methods of teamwork API and what will be the JSON response of them by using developer.teamwork.com.
Now, I am a bit confused that if I use my API key in the GET request as described on the api documentation then the response contains info related to my account. Actually, I want the user to login to his/her teamwork account through my web page and I will retrieve the info regarding their projects on the web page.
So, as far as I understand, I will need to ask for user's API key of his/her teamwork account to display the info on web page. But then it's not a good approach to solve the issue. Is there any other way? Is it possible that user provide their username and password to login and get the account details?
If you use your own API key, then you will get your own information, the api key is connected to the information they have about you.
The key is a certificate about who you are and that you have the right to see the information stored.
As far as i can see teamwork.com have account and billing information in their care, and i would be worried if they shared that information to anyone without special access, such as the API key.
Depending on what you do i would consider the approach you are using, (unless teamwork have some kind of solution for it), making other people share their api key with you could be considered a security breach that could expose sensitive information, in the unfortunate case where you are not able to keep it secure, or where a customer find's you unreliable and prioritize their security over the benefit of your product.
I am interested in expanding a Laravel 4.2 web app into the realm of mobile apps, allowing simple things such as the ability for existing users to sign in (but not sign up) and receive push notifications (simple at first for beta testing). I am very intrigued by Parse.com for their push notification capability but do not want to have to manage two sets of users - Parse and Laravel. Further, this app will be locked down to subscribers - it cannot be a free for all when it comes to user registration.
On the feature list for Parse Core it mentions connecting users via "traditional logins" but I cannot find an example of this anywhere. By "traditional login" do they mean sending a username and password to a remote back end? Or is that their way of referring to logging in with Parse users? Is it possible to connect Parse to a remote API such as my Laravel project (something along the lines of sending POST data with username and password and returning an auth token)?
I'd appreciate any advice on this or links to tutorials/documentation/etc. I have searched quite a bit and cannot seem to find anything.
Thanks!
You can use any of the SDKs to login a user either using a username/password or using Facebook.
Android login
iOs login
REST login
I would suggest you log the user in on the client device so that their device is registered to allow push notifications.
You can also use the REST API in your server code to do other things, such as creating the User and sending push notifications.
You can use Roles to limit things, e.g. create a "Subscriber" role and set permissions based on that Role.
I was following these articles: Verifying Back-End Calls from Android Apps and Stopping Vampires using License Verification Library (from 24:57 to 25:34) to implement an In-App Purchase verification system for our Android apps.
I am a bit confused about how this works end-to-end and what we can assume about the generated token from calling GoogleAuthUtil.getToken() with the first email address found--when AccountManager returns more than one account. My questions are as follows:
Should we assume that any e-mail address used by the user to buy our
app will generate the same token (i.e., same user + app ==> same
token)?
If the answer to question 1 is no, is there a way to launch in-app
purchase for a particular account/email?
It looks like Google is picking the first e-mail address returned by
AccountManager for its in-app purchase dialog. Can we assume that
this won't be changed by the user after in-app purchase dialog is
launched? How do we find out if this changed after the in-app
purchase returns?
What should we store in our database to identify this user? Is email
address and/or token allowed? When does the token expire?
The java-client library looks very promising and powerful at first
read. But, a number of things remains confusing. Is there an article
that describes the end-to-end scenario--from an app initiating a
call to a back-end server through launching the in-app purchase
dialog, getting the result and closing with commits on the server?
What articles are the most useful for accomplishing this on Android?
The main issue we are trying to solve is to to get the full picture.
We've gotten the idea that we can avoid requiring userid/password by using the java client features and using tokens. We have registers our project (both the web app and android app on the same project) per the instructions for Google API Console. We have the php java-client for Google Play Service on our back-end server. We got our Android app to generate a token using the first email address and then call the in-app purchase dialog and handle the user response at the end of the dialog. We've got the parts. Now, we need to glue everything together. We are at the point of integrating with the back-end server. E.g., What is Redirect URi supposed to point to in our server? We've got a php url that we do http post messages to for our server app. We've included the code example for Google API client example--with client-id, secret, simple api key, etc. filled in--as an include to our php. But, what should we put in the redirect uri (we are missing a usage instruction for the example code)?
Also, we want to avoid having the e-mail used for the in-app purchase be different from what we log on our server database as the address the user used to buy our app; if the address is the correct thing to track, we want it to be the same as what was used for the purchase. This could be frustrating for our user if we make this mistake and prevent them from the features they paid for. We don't want to make this mistake and need some clarification on how Google Play Service works. If we initiated the server part of the workflow to get app Nonce / Payload / Credentials for the first e-mail address on the Android device, we would want that address to be used throughout the workflow. If the user changed this along the line, we want to be aware of this and gracefully recover. So far the articles have been helpful but incomplete. Any insight/suggestion is appreciated.