I'm trying to create a Azure Mobile Services Backend (JS) for an Android App and Website, with Windows and iOS versions down the road.
I see that you can add API keys to Facebook, Twitter, Microsoft and Google for users to authenticate via social accounts. I want my app to enable registration and login from these social accounts as well as have a standalone sign up form should they opt not to.
All data should be stored in a user table and I want to be able to store columns like phone number, and have users login and manipulate data specific to their account via Mobile Services APIs.
Could a knight or dame in shining armor point me to the right direction on how I can implement this? I haven't been able to find any articles that can help me create such a system.
I'd start with this post by Chris Risner:
http://chrisrisner.com/Custom-Authentication-with-Azure-Mobile-Services-and-LensRocket
He links back to several earlier posts that should provide the background you need and also has some updates at the top to point you to changes since that post.
For profile information from the social providers I'd use these examples (and the associated links) from Carlos Figueira on how you can access more profile information from MS, Google, and Facebook.
http://blogs.msdn.com/b/carlosfigueira/archive/2013/12/12/expanded-login-scopes-in-azure-mobile-services.aspx
Related
I have a running website, where users already have accounts. And I am trying to create a Google Assistant agent, accessible on Android, to help users access their information.
My issue is that I can't detect returning users on Android Smartphones, each time they have to sign in.
I tried Anonymous User Identity, but it is soon to be deprecated.
Is there an other way to keep track of users?Using some kind of userId that I can store, so I can make "my own Acount Linking" linking the person/Smartphone with already existing user accounts.
There are a few angles to your question.
Is there any way to keep track of users?
Yes... but...
You can store a userId that you generate in the user storage area. You do need to treat this like you would a cookie, so some jurisdictions might impose restrictions on this, but this is one approach to moving from the anonymous ID that is being turned off soon.
But...
How do I let them log into my service through the Action?
That is the problem. The General Policies states the following limitation for collecting user data:
Authentication Data
(including passwords, PINs, and answers to security questions)
Don't collect authentication data via the conversational interface (text or speech).
After a user's account has been linked, PINs or passwords may be used as part of a second verification process.
So you need to use Account Linking to connect to the existing account on your service.
How can I do Account Linking if I don't require Google Sign-In?
You can still use Google Sign-In for Assistant if it will (or may) provide the information as part of the profile that match what you have. So it doesn't need to use the same account - just have the same email (for example).
But that still may not be enough.
For other cases, you can look into setting things up to work with an OAuth server that you control.
So why use Google Sign-In if I setup an OAuth server that uses Google Sign-In?
Google Sign-In is good for a more streamlined flow, if you can use it. It can be done completely with voice, such as with a smart speaker, instead of requiring the user to go to a phone to complete the login. So if you have the user's email address in your account system, and you also get this from Google Sign In, then you can connect the two accounts.
In some cases, such as if the user is expected to have logged into the account on your website first, they won't even need to do that. If both the voice client and web client use the same Google project, then authentication will take place automatically.
I'm struggeling with the Instagram Permssion Request. We need to use the API to scan for new uploads to Instagram with a specific hashtag, to trigger a machine.
For this, i tried to request the permission for "basic" and "public content". The request was declined for several times, primarily because the screencast does not contain any Instagram login process in our app. Since there is no need to login for our purpose, i dont know how to realize this. We also dont want to use any 3rd party tool, but just the Instragram API. Do you have any advice for this?
Instagram does not approve one-off projects for yourself, they only give permission if you are creating an app or platform for many to use.
https://www.instagram.com/developer/authorization/
One-off Projects. If you are an agency building websites or other
integrations, note that we don't grant permissions to clients created
for one-off projects. If you are interested in building a product,
platform, or widget that will be used as a service across multiple
projects, then you may submit a single client_id that you can use
across multiple projects.
If you are creating an app/platform you have to have a login flow for each customer to login and use, so you have show login flow in video screencast.
If you are not building an app/platform for wide audience, you probably will not get permission and are expected to use other apps out there that do what you want to do.
Also checkout the Instagram Graph API, this is API for business accounts to create one-off projects to moderate your accounts, but you will not have access to public hashtag posts, you will have access to all content for your account: https://developers.facebook.com/docs/instagram-api/v2.10
I'm building a Windows 8.1 store app and need to incorporate authentication. This is an enterprise app used in house. We load the app onto a tablet and a team may check that tablet out for weeks at a time, go out to the field to collect data and then we put in on a shelf until another team needs to use it. Now different teams may work for difference clients so when we authenticate users not only do they get access to the app but we also check what groups they are in to determine what clients they can work on or what previous records they can search for.
I've followed various ADAL tutorials and am able to setup everything in Azure and in my app I am able to authenticate a user successfully and get their groups. This relies on ADAL handling the username/password. What happens when the app shuts down and the user in a place where there is no internet (or even a reliable cell connection)? Specifically how can I have the user type a username/password to re-authenticate and get the same groups they were in when they can't access Azure services?
It appears they isn't available as the guidance always points to that is a risky proposition to have the app handle username/passwords. I understand that stance and can appreciate the caution behind it. However, in all of the ADAL documentation that I find that says this, none of them tell me how to handle an offline authentication scenario.
I have found links such as ADAL v3: How to authenticate using UserPasswordCredential? that tell me how to bypass the ADAL login page. I may have to move to that route and handle all of the username/passwords securely within the app, but first I would like to reach out and see how others tackle this scenario. Is it really as simple as avoiding best practices and just handle the username/password within the app?
If anyone has some guidance, ADAL (or other oauth providers) documentation, or other articles/advice I can follow up on to help achieve offline authentication I would greatly appreciate it!
Additional Information:
My scenario that I'm trying to cover is what happens when I have 1 device, 1 app, and many different users? These users will be in different groups that will determine how data fields get populated (filter data in combo boxes) and what previously submitted forms they can query for. All users would need to login when online to cache their information (say on Day 0) before they can ever use the app. On Day 1 user 1 uses the app and doesn't log out. I would expect the app to have a timeout timer to log that user out after 2 hours of no activity. On Day 2, user 2 just grabs the device off the shelf and takes it out into the field. He has no internet and needs to log in to determine who they are and what group they are in. I would expect since he has logged in once and verified his credentials already that we can enable this sort of scenario.
What I'm looking for is guidance if ADAL as a library can handle this or is it truly up to me the app developer to handle this sort of scenario. As I see it currently I need to store all user credentials, but at the same time it seems like everyone advises against that. I feel like I'm in a situation where I need to create a custom login screen and store the user data, SECURELY of course, even though its not recommended. It seems like all articles on how to use ADAL are written from a consumer app standpoint (or a BYOD) and don't take into account how a mobile app would be written for the enterprise.
That depends on your app design, if the first time(app online) , user login and app store all groups ,user information .After that user doesn't need to use token to get related information again(send request to server to acquire groups/user info). If app is offline , user doesn't need to re-authenticate(app controls the user session) , just get group/user information from cache . When using resource owner flow , you still need to send authenticate request to Azure AD server which need internet.
I'm new to azure (used to "default" ASP.NET apps) and giving it some tries I learned that:
a.) it is very easy to add mobile logins (using FaceBook, Twitter, MS-Account...)
b.) that I can't see any database storing this data (user IDs an so)
My needs are the following:
Enable users of a Win10 Universal / Mobile app to login with FB,... (works so far)
use these users (via ID or so) to assign custom database entries to them (profile or so)
assign (via some kind of management interface) the user to a role (for permissions)
merge different logins (let the same user login with different providers=
To explain this imagine a forum (driven by apps (UWP, Android, ...)):
The user logs in via Facebook.
After (example) 10 moderated posts he will be able to write posts without moderation. (assign to role)
Users can be manually added to roles (moderators)
Last not least if the preferred service is not available (some corporate networks for an example restrict Facebook access) - the user shall be able to use (for an example) Google to login with "HIS account".
I understand that "merging" may need to be done while both providers are available.
Something like - "you are logged in with FB - to you want to add Google login to your account - if yes pleas additionally login with Google now while your are logged in with FB...
Two extra points:
1. I don't want to have "username / password" (only social logins)
2. I want to store the users email (for notification purposes)
--used from the social provider if available - or manually entered
Is this possible with "Azure Mobile" or would it be better to create a "Web App" and add (somehow) add "Mobile capabilities" (login, push notifications..) to it?
Yes, you can absolutely do this. The token information (which is equivalent to the claims that you request when you set up the authentication within the Authentication / Authorization Settings blade in the Azure Portal) is available on the /.auth/me endpoint of your app. It's also available internally - for ASP.NET, that would be the MobileAppUser class. This is the IPrincipal for the request given an ASP.NET TableController decorated with the [Authorize] decorator.
You can adjust the information stored by the table controller. There is some sample code commented out of the FieldEngineer sample on GitHub for this.
I am working on a project in which i have created an app on flickr. my account is free account. using that app. many users connects to my application and i store their access_token in my database. using that token. my application send requests to flickr and download users public and private data in a server storage. from where the connected users can view only their own backed up data.
I want to know. is there any limitation for free account to download users data. my app downloaded 6000 photos of a user accurately.
please tell me what type of account i needed for my app.
When you apply for a Flickr API license the following explanation is given on the Flickr site as to which license to choose:
First, we need to know whether or not your app is commercial.
Choose Non-Commercial if:
Your app doesn't make money.
Your app makes money, but you're a family-run, small, or independent business.
You're developing a product which is not currently commercial, but might be in the future.
You're building a personal website or blog where you are only using your own images.
Choose Commercial if:
You or your agency works for a major brand.
AND one of the following:
You want to make a profit.
You charge a fee for your product or services.
You will bring Flickr content into your product and intend to sell those services.
Net, if the business behind the app is 'small' or 'independent' you can earn money with a Flickr app and a non-commercial license. If not, you need the commercial license. Flickr retains the right to decide which license is appropriate for your app at any point in time.
Since the text appears inside the logged in area I can't link to it. I've included a screen shot instead:
Since the title of your question is "flickr API commerical application", the limit is 0 for a free API key. You should apply for a commercial API key. You will then be able to negotiate exactly what limits you require - in fact, your costs will be dependent on those limits.
Using the free API for a commercial application is against Flickr's terms of service and may lead to your access being suspended.
The Flickr Terms of Service are listed here:
http://www.flickr.com/services/api/tos/
This is what it says about commercial use:
If the primary purpose of your application is to derive revenue, it is considered a commercial application. Flickr reserves the right to make these evaluations at the time that you apply for the license. Flickr may also monitor your site or application over time to ensure continued compliance with the appropriate type of API key.
If you're in doubt about whether your application is commercial, here are a few common examples of commercial use that may provide you some guidance:
Users are charged a fee for your product or service which includes some sort of integration using the Flickr APIs.
You sell services to Flickr users and use the APIs to bring users' Flickr content into your service.
Your site is a "destination" site that uses Flickr photos to drive traffic and generate ad revenue.