I am working on a web app that has "Sign in with Google" and "Login with Facebook" buttons. After user successfully signs into the app backed by Firebase, I want to be able to make API calls to their Google and Facebook data. Example is fetch their photos from Google Photos or Facebook.
Normally this is easy to do when you use Google Auth APIs on web and on signing in, you get Auth Code that you can pass to your server and server exchanges that one-time-use code for Access Token and Refresh Token and store them on server side for any future API calls. Here is a link to tutorial for this approach - https://developers.google.com/identity/sign-in/web/server-side-flow
With Firebase being my backend and with FirebaseUI authenticating users to my web app, how can I get the code that I can pass to Firebase Function which can then exchange it for Access Token and Refresh Token and save it into Firestore for further API calls.
You can use the signInSuccessWithAuthResult callback from firebaseUI: https://github.com/firebase/firebaseui-web#signinsuccesswithauthresultauthresult-redirecturl
It will expose the userCredential object. For OAuth providers like google and facebook, you can access the OAuthCredetial using userCredential.credential. The reference for this interface is here: https://firebase.google.com/docs/reference/js/firebase.auth.OAuthCredential
Related
Per https://developers.google.com/identity/sign-in/web/server-side-flow in order to get a refresh token, the client must grant offline access. However, I see no way to do that using the new API. What's the proper way to get a refreshed token using the Google button, so the user doesn't need to re-login every hour?
Authentication for sign-in has been separated from authorization for data access in he new API.
In the new API authentication does not require or use access or refresh tokens, instead a signed JWT ID token credential containing the user profile is shared after user consent. This greatly simplifies the level of effort and need to manage tokens during app sign-up or sign-in.
If you're performing authorization to access Google APIs and storing refresh tokens on your backend, then a server-to-server OAuth flow is appropriate.
Another clarification, user sign-in to your app and maintaining session state are separate concepts and should be handled separate from backend processes which may use an offline refresh token to perform actions through a Google API on behalf of the user while they are not logged in.
I would like to build a small js library that can read a specific album from my account and display the photos within as a slideshow.
In this guide (https://developers.google.com/photos/library/guides/get-started), to access the API we need both ClientID and Secret. Is there any way to access the API using some type of public key for read-only access? That way I (the provider of photos) don't have to login every time?
The Google Photos Library API is used via OAuth2 user authentication. All requests through the API are made on behalf of a user. Public API keys or service accounts are not supported.
OAuth tokens expire after a certain time, which is returned as part of the OAuth authentication request. You can use a refresh token to retrieve a new access token once it has expired. If you'd like to do this without explicit interactive user interaction, your application needs to be authorized for offline access. The good news is that the authentication client libraries handle this for you.
If you are using Google Sign-In (for example on Android), you can check if the user has already signed in using GoogleSignIn.getLastSignedInAccount(this), so you would not need to prompt again for access. You could also enable server-side access if you want to make these offline requests from your backend.
If you are using any of the Google OAuth client libraries, you can specify the 'offline' parameter as part of the initial sign-in request. For example in Java, you would set the access type: .setAccessType("offline") on the GoogleAuthorizationCodeFlow.Builder during creation.
Below is my understanding of the process of oauth2.0(using google as the oauth2.0 server)
my customer click 'login with google account' button on client side.
the browser redirect to google's login page.
my customer inputs it's credential and click 'login'.
if my customer succeeded in previous step,the browser will redirect to my server's url
(www.[myserver].com/auth/google/callback) with some extra query
data.
then my server will do some work to get some token from google and finally get my customer's information.
My question comes from the next step. I want to use token based authentication.Then I have to make my customer to store my own token in localStorage. I can't figure out how to achieve this in the 6th step(how to send a new token to client side and store it in localStorage?).
(I know that every thing will be easy if I am using cookie-based authentication. because I can just utilize 'set-cookie' in the 6th step, and the client side will be easily store the credential data in client side's cookie)
Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, installed, and client-side applications.
I figure out that I can use some type of template engine on my server side(just like discussed here). So I can render my template file using variable before send it to my customer.
auth0 version: 9.3.3
I'm developing a chrome extension that uses Google Identity API. When my extension is loaded when the user is already authorized by Google, so it seams like an overhead to show the authentication popup again by the:
Auth0Js.authorize({connection:'google-auth2'})
I already have the google access_token by:
chrome.identity.getAuthToken({}, function (access_token) {...})
that looks like:
ya29.GmCGBfZPOwM725oSok08AdMLQGHYNr50Ax9TAQVoHGjEkAS1gdv-R_1H_LBd6Fe9YgEjWm8eejTYk5IyCWGrdDn6P1R8ahRQW768_SDf7nD8Yq0kj2VXoBZVNYyiIDWtFP0
but I still need the auth0 token. Is there a way to silently exchange a google access_token into an auth0 access_token?
The solution is found:
https://auth0.com/docs/connections/calling-an-external-idp-api
The original google access_token can be obtained by the Auth0 Management API.
The steps to follow are:
Get an Access Token that allows you to call the Auth0 Management API.
Call the Auth0 Management API's Get Users by ID endpoint, using the Access Token obtained in step one. This endpoint returns the full user's profile, which contains the IdP Access Token.
Extract the IdP Access Token from the response and use it to call the IdP's API.
Can we get the Facebook user access token without prompting to login page. Isn't it enough having App Id and App Secret to get the token. I have tried according to the Facebook API documentation. But it prompts to login screen if you are not already logged in in the browser.
This is what document says,
User Access Token – The user token is the most commonly used type of token. This kind of access token is needed any time the app calls an API to read, modify or write a specific person's Facebook data on their behalf. User access tokens are generally obtained via a login dialog and require a person to permit your app to obtain one.