I've successfully implemented Facebook login with their Javascript SDK but was hoping that when used on mobile, the native Facebook application would launch. Will going through the manual flow here allow this behavior? This question seems to say otherwise but was vague.
I want to avoid using Android and iOS mobile SDKs because my situation is basically an OAuth within an OAuth and it would get messy. Any other approaches people think could work like redirect URIs or other OAuth magic would be really appreciated.
I am designing a REST API that takes a card number and CVV and uses that to check the card balance and other details. We have the HMAC encryption, Device Identifier recognition and SSL header validations and all that security in place.
However the issue is the call is going to be invoked from Mobile app which can be easily reverse engineered to get the code. Once some one has the code they can write a bot to fish (Brute Force) for the legit card number cvv combination.
So in order to lock down the API I am planning to use a captcha (mobile friendly) like FUNCaptcha. However Apps DEV rejected it saying webviews (IOS, Android) are not safe and can be exploited using MITM attacks etc since it is JavaScript based.
Can someone give me some ideas on how to tackle the problem. I need to secure the API from BOT, other automated processes. The only way to do it is via a captcha. but it seems on mobile devices the webview is a bad idea.
We have an existing Android and iOS application that consumes REST API from our servers. The API provides a token to the authenticated users after they log in using their credentials (username, password combo.) from the mobile applications.
Now, we're planning to create a Google Glass application for the same. In this case, we'd like to use the existing REST API along with Glass also. The Glass app will be built natively using the GDK.
My concern is, how would the users be able to input credentials? Because, users may have signed up for the service using non-google accounts?
Many thanks in advance.
At the moment, there is no supported way for apps made with GDK Early Access to authenticate the user or provide a way to connect the Glass account to your auth system. The Glass team has indicated such methods are coming, however - the Strava Cycling app, for example, does this, and it is expected that a similar feature will become widely available as the GDK matures.
Strava Cycling appears to get its credentials at the time you setup the app through MyGlass. When you turn it on it redirects you to a website to log into Strava's service before completing the install.
I just gave a talk on this exact topic at Wearables DevCon. The solution I proposed is purely done through GDK. All the user has to do is sign into their Google Account on a phone/tablet/computer and enter a code that is shown on Glass.
Check out the slides here:
https://docs.google.com/presentation/d/1NepYwlKdEvLV0QH9ix2I8l-JY1kHjBR9AXKBNpgTI6g/edit
And the code here:
https://github.com/victorkp/GlassWebNotes
The latest Glass release (XE16) publishes the remote authentication API for apps distributed through MyGlass:
https://developers.google.com/glass/develop/gdk/authentication
I'm currently building an oAuth2 server so that external clients/devices can access data from my service without having to send over user credentials with every request. I've finally grasped how oAuth works after spending an entire day reading numerous tutorials and online documentation, however, there's still one thing that I'm rather unsure of...
When sending a request for an authorization code to an oAuth server, how should I deal with a callback to mobile devices and devices that aren't a webserver?
E.g. this request to my oAuth server will send an authorization code as a callback to a specified webserver (http://client-url.com in this case)
http://mydomainname/oauth2/?client_id=test&grant_type=authorization_code&client_details=test&redirect_uri=http://client-url.com&response_type=code
The server at http://client-url.com will receive a response containing an authorization code and the developer will be able to store a user's oAuth credentials accordingly.
Obviously a mobile device isn't a webserver, so is there a standardised way of dealing with this? I've read online that you can define something called a custom URI scheme within iOS and Android apps. But what about the other mobile platforms out there? And desktop apps? I want my API to be accessible from as many platforms and devices as possible.
The reason why I'm asking this question is because I want to add validation to my oAuth server so that users can only register apps with valid callback URL's. I wasn't sure if should allow any other type of input as a callback apart from a valid URL.
Can anyone shine any light on this? I want to avoid spending hours validating and testing this across all devices as I'm sure anyone that has developed for multiple mobile platforms in the past must have some knowledge about this.
Thanks in advance.
I have a REST API that will be accessed from mobile clients and a web application. I would like to use oAuth for it. Not necessarily for the resource sharing aspects (it will just be for our application right now) but because of the standard it provides for how to tokenize and sign requests.
My questions:
Is this a sane use of oAuth?
There are quite a few posts on here discussing the issue of having to
store the client secrets on the mobile devices, but is that really an
issue in this case since I own the service too?
Is there any reason to give each client their own secret? This is normally used for access revoking, but again, I control the serivce and could just disable their user account.