I am currently developping an app which allows Google sign-in. We are asking permissions to get access to the users contacts (for invitation) and agenda (to create events).
Our app has been validated by Google a few weeks ago.
The main issue is that we would prefer to require our users to grant permission to access their accounts during the sign-in process, but we have a (rather long) list of checkboxes that the user must manually click on, which is a really bad UX.
I understand the privacy reason for that behavior, but I know that it is somehow possible, since I've tested that on another app myself (see below)
Google support is non existant on that subject, and the resources I found here or somewhere else are either deprecated or doesn't answer the question.
Have some of you encountered the same problem and fixed it?
Thanks a lot!
These checkboxes are due to the granular account permission change added in 2018. They are there to give the user the option to accept or reject your request, and can not be turned off.
You can read up on this in the original blog post. this Google Developers blog post
Related
I have a running website, where users already have accounts. And I am trying to create a Google Assistant agent, accessible on Android, to help users access their information.
My issue is that I can't detect returning users on Android Smartphones, each time they have to sign in.
I tried Anonymous User Identity, but it is soon to be deprecated.
Is there an other way to keep track of users?Using some kind of userId that I can store, so I can make "my own Acount Linking" linking the person/Smartphone with already existing user accounts.
There are a few angles to your question.
Is there any way to keep track of users?
Yes... but...
You can store a userId that you generate in the user storage area. You do need to treat this like you would a cookie, so some jurisdictions might impose restrictions on this, but this is one approach to moving from the anonymous ID that is being turned off soon.
But...
How do I let them log into my service through the Action?
That is the problem. The General Policies states the following limitation for collecting user data:
Authentication Data
(including passwords, PINs, and answers to security questions)
Don't collect authentication data via the conversational interface (text or speech).
After a user's account has been linked, PINs or passwords may be used as part of a second verification process.
So you need to use Account Linking to connect to the existing account on your service.
How can I do Account Linking if I don't require Google Sign-In?
You can still use Google Sign-In for Assistant if it will (or may) provide the information as part of the profile that match what you have. So it doesn't need to use the same account - just have the same email (for example).
But that still may not be enough.
For other cases, you can look into setting things up to work with an OAuth server that you control.
So why use Google Sign-In if I setup an OAuth server that uses Google Sign-In?
Google Sign-In is good for a more streamlined flow, if you can use it. It can be done completely with voice, such as with a smart speaker, instead of requiring the user to go to a phone to complete the login. So if you have the user's email address in your account system, and you also get this from Google Sign In, then you can connect the two accounts.
In some cases, such as if the user is expected to have logged into the account on your website first, they won't even need to do that. If both the voice client and web client use the same Google project, then authentication will take place automatically.
I need to build a app with some specific details, and since I never worked with Instagram I have no idea if is possible or not, and also the information that I find on the docs doesn't say much, so hope someone had the same experience.
So basically I need to track some analytic information, for example in my App, for someone to register it needs to login in Instagram and than must follow my Instagram page, I believe this is possible, but then I need to track some information from the users and that is:
Check if the user is hashtaging my company page (to check which users made more shares or something);
Check which users had more engagement;
Can someone tell me if this is possible to track on Instagram API?
The new Instagram graph API is very limited, you cannot make to app and allow user to follow, you cannot access other user posts to check if they hashtagged or engaged.
All you can do is, access only your posts (if business account), and you can access your post's comments. You can also get last 24hrs of an hashtag, but no user info is given.
I've read about security best practices saying that inactive user accounts should be disabled and even deleted to avoid security issues like unauthorized use. I can see that being true for regular username and password authentication sites, however my application was built to work only with Facebook groups and as such the only way to login or create a new account is to use the Facebook login.
The argument can be said that someone malicious could take control of one of my users' Facebook accounts and then use it access my application. Although that is true if they have control of a Facebook account my application would never know it's a malicious person so I don't see that as a valid criteria to use in determining if the account should be disabled.
Furthermore if a user is inactive and wants to become active again since it's Facebook login there really is no reason for them to go through some kind of reactivation process like confirming their email or changing their password.
I must be missing something here because it's certainly mentioned as a best practice to disable accounts but since my only login method is Facebook (OAuth) I can't come up with a valid reason to disable/delete inactive accounts.
Regarding other methods of unauthorized access I have security measures in place so I'd like to keep the answers relevant to the login method.
Please enlighten me if I've missed something.
If you have decided that your application needs to use Facebook authentication, then your system's identities will only be as traceable as Facebook's identity management permits. (And don't expect Facebook to help you by disabling / blocking users at their end ...)
You need to design it accordingly:
Don't make any assumptions that users will behave properly.
Don't rely on login controls to keep out malicious users.
Put in your own (sufficient) defenses against malicious behavior into your own system.
You are correct that disabling an account in your system won't achieve much if you also allow the user to (easily) reenable it. Given that it is easy to create (effectively) untraceable Facebook accounts, the chances are that a typical malicious actor will not just rely on old accounts. They may use a brand new account and connect from an IP address that you have never seen.
There are some things that you could do though. For example, implement mechanisms to do the following:
Make sure that users simply cannot upload dangerous content (e.g. files with trojans, web content with dangerous links or scripts.
Allow administrative locking an existing account or OAuth identity,
Allow blocking of creation of accounts or access in from specified IP addresses or ranges,
Keep an audit trail so that you can watch the history of user behavior.
I've requested to "Verify company" over a month ago so that I can get permissions on my developer account to access my own camera data. Apparently verification is still pending because I still can't add this permission to my developer account.
Is nest development still supported? The #nest twitter account referred me specifically to this tag on Slack for nest API questions when I inquired what needed to be done to get verification approved.
The answer to this issue is to request verification, REMOVE the current Camera permission, then add back the "Camera + images" permission. There can only be one permission at a time despite this not really being documented and apparently permission to add it is granted once you request verification, but this is not documented either. I was able to find something that led me to the answer over on nestdevelopers.io
"Verify company" is only for using the Resource Use API. As noted above, you can only have one camera permission at a time, so depending on your camera needs, only select the one that is most appropriate.
I am developing an app which needs public_content scope of Live API and aware of new regulations of Instagram. After I complete my app, I will send it to Instagram for review. Issue that I wonder was, Is having a company is strictly required in order to have Live API permission ? Because I saw in documents that developers should show their apps' privacy policy and kind of stuffs.
I dont think you require to have a registered company, but your app/website should look serious and should solve a problem for brands/businesses as mentioned in the 3 approved use case by Instagram.
I used to have http://gramfeed.com for last 5 years and recently had to rename to https://www.picodash.com and refocus the service for more specific audience to get approval. It has to look professional and should NOT be a generic service to all users.