I am building an app with social login. One of the requirement for the local created accounts is that the user is forced to use 2FA.
Using Facebook's api with a valid client app how do I check if the user who just signed up is not reckless and use 2FA ? (Wondering the same thing with google too).
Related
I am developing web platform which has to have 3 type of users (user, admin, partner companies). For the authentication I am considering to use google Identity platform with multitenancy (probably users in one tenant and admins are in different tenant).
As I understand from documentation, how do we integrate identity platform to our application is to create identity platform provider from console and integrate it into frontend with UI. From front-end, without contacting backend service we can sign up, login and logout by calling firebase SDK and it will give us authentication token. From backend I can check that token with middleware and decide if I agree the user as authenticated or not. Correct me if I am wrong.
Then I can get some metadata of authenticated user from the token, maybe email or name etc. But I want to store user related information on noSQL database as well. For example, if user wants to change his email I need to handle it in backend server, also, I'd like to store users log (access and audit log on somewhere else). In case of, I am using frontend UI and SDK how do log the access and audit information on my backend? also, when changing user's information, do I just write handler function in backend end update user's data with REST API or Admin SDK? what is the best practice over here? Or should I better write my own login and logout function on my backend then call REST API or Admin SDK? is there preferred way? Google is showing me only integration way of authentication from frontend?
BTW, I am deploying backend application on google cloud run, and frontend would be developed in react and should be deployed maybe in firebase or in cloud run as well.
Thanks
As per the Documentation,Yes your understanding is correct to integrate identity platform to the application.
You can store the user related information on a noSQL database like Firestore or Firebase Realtime Database. You can write the Rest API to change or update the user's information in the database.
If you want to write your own login and logout function, I don’t think it is necessary because Firebase Admin SDK provides these features. But if you want to manage user authentication in the backend for specific requirements, you can write your own login and logout function on the backend and use the Firebase Admin SDK.
For access and audit log information you can use Firebase Analytics, Firebase Analytics helps you understand what your users are doing in your app. It has all of the metrics that you’d expect in an app analytics tool combined with user properties like device type, app version, and OS version to give you insight into how users interact with your app.
But finally, the best way would depend on your requirements and use case.
My question is how a 3rd party developer would login users through my Identity Platform? I looked at the documentation but found nothing.
Essentially I want to use Identity Platform as an OIDC Provider, but I don't know if that's supported.
Cloud Identity Platform is based on Firebase Auth product (literally because the documentation and the Javascript to add are still in Firebase perimeter!).
This product allows you to delegate the authentication to a third party, either Firebase auth if you use login/password authentication, or to connect Identity Provider (IdP).
There is several built in IdP like Google, LinkedIn, Facebook, Twitter,... and you can add custom Auth0 provider (SAML) and OAuth2 provider (OIDC).
The platform only allow you to perform an authentication and then redirect the user to YOUR app. Then, it's to YOUR app to ensure the correct authorisations and roles of the user.
All of this for saying to you:
Think about firebase Auth feature: originally, it has been designed to authenticate user that wants to connect to Mobile App, on Android. Today it's the same thing but, in addition, for your web app
It's designed for YOUR application with YOUR roles and authorisations. By the way, if your target is to allow your 3rd party developers to log into Google Cloud console thanks to this authentication mode, it's not possible.
But, stay tuned, awesome things are coming soon on this field
John is right, more details would help. But if I had to guess you are referring to the fact that Google Cloud Platform IAM does not handle Identity part only authorisation. You could, however use G Suite or Google Directory Sync (which can integrate with LDAP server or Active Directory.
You can refer to the link below which shows you how you can integrate with OIDC:
https://cloud.google.com/solutions/authenticating-corporate-users-in-a-hybrid-environment
I am looking for a solution to integrate Google Cloud Identity into an existing project. The idea is that there are two applications - old and new one. Within old application the users are right now logging with username and password, within the new one I plan to introduce GCI.
Is there any way to have backward compatibility with the old application authorization model while having already Cloud Identity established in the new app?
The problem is that user is supposed to be able to authorize both in old and new applications and I can't think of a solution that would not force me to change authorization model in the old application which I would really prefer not to.
After thorough research I came to a conclusion that the best way to integrate classic authorization by username and password with Google Cloud Identity would be thanks to Firebase.
Firebase Authentication supports password authentication in addition to federated sign in with Google, Facebook, Twitter, and more, allowing you to easily scale your authentication system as you grow on desktop and mobile. Apart from that Firebase is also provided out of box when using Google Cloud Platform.
Using Firebase I will be able to implement simple login with username and password in the old app and use Google Sign In within the new app.
Once user is logged-in to any app he should not be asked for credentials for any other app. Sharing a single access-token stored in local storage seems a default but somehow bad idea. In case of Google apps on Android/web it surely does not use this solution, how do they do session sharing across apps implicitly?.
I am using AWS Cognito, it provides a User Pool in which I can have multiple apps registered to use the pool. Is there a way to get access token for a user request (without credentials like password) coming from a different app since the user is already logged in to pool via previous app login-request?
We‘re also trying to create a SSO experience for our customers across all our apps so that they only have to login once and get access to all apps.
AWS has a repo for that and it also might be interesting for you:
https://github.com/awslabs/aws-amplify-identity-broker
Currently, we‘re making a POC if it works out, but basically you need to proxify the cognito API‘s with your custom OIDC compliant endpoints.
I'm running a Django app, and I'd like to make a Chrome extension to allow users to post content. My users can sign in via Twitter, Facebook, and Google (via python-social-auth). I presently do not require accounts to have passwords, so there's no way to log in outside of the oAuth2 methods. How can I authenticate users in the Chrome extension to allow them to post?
The workflow would be something like this:
Install Chrome extension
Authenticate with my site, which has no password-based user accounts
Interact with my API (w/ authentication also via separate oAuth2 consumer, presumably)
I was able to read the user's session cookie from my site's domain and interact with my API w/o a problem.