I've only known how to use the authorization URL to have a user connect their account to my website. Is there a way to do this authorization via an HTML form? For instance, the user inputs their Google email and password on my website and it authenticates that account without them ever having to sign in and out of accounts on Google and then visit the auth URL.
The reason for this is to connect multiple Google accounts to one account on my website. It would be a huge pain to ask them to log in and out of Google for every single account they want to attach. It'd be a lot better for the user experience to just type the info in a form on my site and have it authenticate. Is this possible in PHP or in any language?
This is a bad idea, do you really want to be responsible for user's Google password? Do you think users will trust you with that information? I know I wouldn't and I'd be highly suspicious that your sight is a phishing scheme with that behavior implemented.
Use OAuth 2.0 or OpenID instead and save yourself the headache of dealing with user passwords.
Related
I have a problem to find the right way of implementing a login service.
First my environment:
An Android or IOS APP
My own web-api in PHP
Now the users have to login to get specific data from the api. So I have to check if the user is logged in with the API.
First i thought I could do this with JWT (JSON Web Token). But users with existing Google or Facebook account should also login to my side.
Is there a way to implement the login in PHP (the API site)? The most examples to login with Google or Facebook are simple Websites and not an APP with API.
How could I implement this login system?
Some time ago I thougt I could use GIT (Google Identity Toolkit). But now they switch to firebase and the website only contains examples for Webapps and Android/IOS.
Is there a common technique to do a login system like mine?
Do I have to implement OAuth2?
Oh. Besides the Google/Facebook login, there sould be a way to login with email and password.
I'm a little bit confused. It can not be, that I'm the only one with this problem. Or do I am a blockhead?
Yes, it is posible and it is well documented on the API's page.
For Facebook login, you can check this link.
For the Google's case, you should check this link
Side note: I know that I should quote the relevant parts of the link, but there are too much steps to follow, specially on the Google's case, so I haven't done it to avoid a huge block of quotes.
Solution:
Implement the Login in the Android- or IOS-App and get there the access token. Now send this token to the API. There you can check it and to everything you want with the Facebook-/Google-API.
I'm using several social providers on my site, including Google. I would like to ask for password to Google account each time user requests one of my actions. This is for security reasons.
With Facebook, we can send auth_type=reauthenticate parameter. Is there something like this in Google API?
I'm not looking for refreshing tokens, I need to make sure user types his password at any state: whether already authenticated or not.
I read your posts and I can relate to your frustration on this matter (including some of poor responses inline above).
You want to be able to prompt users to reauthenticate with Google in order to prove that the user behind the computer is indeed the account holder. Having required similar functionality myself, I've concluded that they do not implement it. This creates a problem of trust for an application that relies on a Google login for access, but also provides some destructive functionality which should require a reaffirmation of the identity of the user. Wish I had better news for you.
Having implemented this feature with Facebook's API, I was certain Google would provide similar since it's so essential to security, however they don't.
I have a couple of questions regarding facebook integration and authentication in my social networking iOS application.
First of all, Users of my application are required to create an account and login before any content is available to them.
I have a separate backend system, so regular account registration inside my application is supported. When a user is logged in to an account he or she is supplied an access token which is used for future backend-requests, such as image-uploads.
Secondly, A user can choose to log in with Facebook, and thereby acquire an access token from the successfully opened FBSession.
This leads to my first question: How do I use the access token acquired from Facebook to authenticate my users with my backend system? Should I send the acquired token to my backend and have the system use that token for this particular user until further notice, or is there another way to go about this?
--
Now lets say that I solved the problem in the first question...
My second question: Imagine that a user created an account and logged in the normal way (i.e. without facebook) The next time that user wants to use the application, he or she chooses to log in with facebook. Now, In my backend-system, how would I know that these two users are the same, connect them and thereby be able to load the same content for both cases? Is it even possible to have hybrid accounts that supports double logins like that? A regular registration only requires email, username and password, so I cannot think of a way to determine that a facebook-loggedin-user is the same user as a normal-loggedin-user.
I Hope the above makes sense.
The only way to unite the two memberships is to use a common link as a username or identifier such as email. I am sure fb, google, yahoo and others relay the users email account information. Your database should allow for storing your user's email address. The hurdle then becomes what do you do when user login with facebook then the next day using gmail that's when it gets tricky and you have to implement some mechanism for those accounts to be linked.
A regular registration only requires email, username and password
In that case, you can ask the user to grant the email permission to your app. So, by matching both the emails (since, a regular registration requires email) you can determine that this facebook-loggedin-user is the same user as a normal-loggedin-user.
But yes, in some cases(very less) you might not be able to fetch the email (Register with Facebook sometimes doesn't provide email); but then, the registration process won't be completed- so that's not an issue I guess.
I have made a API script for my website, so people can login from another website.
It's using PHP cuRL to POST data to my website.
I'm using a api key (md5 hash of the website) to verify the website with my MySQL database.
But when someone is using my API Client (PHP cURL), they also can save the username's and passwords of my user's.
How can i prevent this?
You might want to consider using OAuth. It's designed for exactly what you want to do.
I someone is typing their username and password onto a website other than your own, there is no way for you to prevent the owner of the website from capturing it...
What you'll want to do is have your site generate a secure set of credentials for the users account, similar to a username/password, but only to be used by the API. Also, prevent this new set of credentials from having the ability to do things like delete the user's account or change email address.
Also, give the users the ability to have their API credentials changed if they want (in case a third party gets it and the user no longer wants them to have access).
I am currently working on Contact Importer web app (in PHP) so I will be able to grab email address from a user's account on Gmail, Yahoo, etc and use them for my own evil purposes. Just kidding, my web app is very friendly.
I thought I would start with Google. I found they have a fantastic little API called Google Contacts API which lets a programmer, like myself, to access a user's contacts.
After a couple of hours of struggling and throwing shitty code together, I ran into a few road-blocks. My main question is this:
Is there any way that I can have a user provide their username and password for Gmail on my website and have my code retrieve the contacts without that nasty redirection to a Google login page? It's kind of ruins the whole flow of my web app.
I've looked into AuthSub, and gotten that to work, but of course the catch is that you have to redirect the user to obtain the access token. It looks like OAuth will have this same catch.
The one ray of hope I have is the ClientLogin method of authentication. Again, there is a catch, sometimes Google throws you a CAPTCHA instead of the auth token. Again, the user flow is ruined.
I've noticed that our good ol' friends over at Twitter have it working just fine. Does anyone know how they do it?
Thanks!
I think you've identified a feature, not a bug. The whole point of OAuth is to prevent users from typing their passwords into third-party sites like yours: this way they can learn to only type their Google password when they're looking at a Google login page and not have to trust that you won't store their password and use it to read all of their email.
It does provide a small interruption in the flow of your web app, but OAuth generally provides a callback so that it shouldn't really be a large disruption. In exchange, your users can feel safer and you can avoid any issues of having to store (and then dispose of) user passwords.
In short, I don't think you'll be able to get around this. It's true that Twitter does currently allow it ("Basic Auth", where the username and password are sent directly), but that feature is planned to be deprecated by this summer.