Git Product home page Git Product logo

guardian.android's Introduction

Guardian SDK for Android

CircleCI Coverage Status License Maven Central Download

Guardian is Auth0's multi-factor authentication (MFA) service that provides a simple, safe way for you to implement MFA.

Auth0 is an authentication broker that supports social identity providers as well as enterprise identity providers such as Active Directory, LDAP, Google Apps and Salesforce.

This SDK allows you to integrate Auth0's Guardian multi-factor service in your own app, transforming it in the second factor itself. Your users will get all the benefits of our frictionless multi-factor authentication from your app.

Requirements

Android API level 15+ is required in order to use Guardian.

Before getting started

To use this SDK you have to configure your tenant's Guardian service with your own push notification credentials, otherwise you would not receive any push notifications. Please read the docs about how to accomplish that.

Install

GuardianSDK is available both in Maven Central and JCenter. To start using GuardianSDK add these lines to your build.gradle dependencies file:

implementation 'com.auth0.android:guardian:0.8.0'

Usage

Guardian is the core of the SDK. You'll need to create an instance of this class for your specific tenant/url.

Uri url = Uri.parse("https://<AUTH0_TENANT_DOMAIN>/appliance-mfa");

Guardian guardian = new Guardian.Builder()
        .url(url)
        .build();

alternatively you can use the custom domain if you configured one

Uri url = Uri.parse("https://<CUSTOM_DOMAIN>/appliance-mfa");

Guardian guardian = new Guardian.Builder()
        .url(url)
        .build();

That's all you need to setup your own instance of Guardian

Enroll

An enrollment is a link between the second factor and an Auth0 account. When an account is enrolled you'll need the enrollment data to provide the second factor required to verify the identity. You can create an enrolment using the guardian instance you just created.

First you'll need to obtain the enrollment info by scanning a Guardian QR code or obtaining an enrollment ticket by email for example.

Next you'll have to create a new pair of RSA keys for the new enrollment. The private key will be used to sign the requests to allow or reject a login. The public key will be sent during the enroll process so the server can later verify the request's signature.

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048); // you should use at least 2048 bit keys
KeyPair keyPair = keyPairGenerator.generateKeyPair();

Then you just use the enroll method like this:

CurrentDevice device = new CurrentDevice(context, "fcmToken", "deviceName");

String enrollmentUriFromQr = ...; // the data from a Guardian QR code or enrollment ticket

Enrollment enrollment = guardian
        .enroll(enrollmentUriFromQr, device, keyPair)
        .execute();

or you can also execute the request in a background thread

guardian
        .enroll(enrollmentUriFromQr, device, keyPair)
        .start(new Callback<Enrollment> {
            @Override
            void onSuccess(Enrollment enrollment) {
               // we have the enrollment data
            }

            @Override
            void onFailure(Throwable exception) {
               // something failed
            }
        });

The deviceName and fcmToken are data that you must provide:

  • The deviceName is the name that you want for the enrollment. It will be displayed to the user when the second factor is required.

  • The FCM token is the token for Firebase Cloud Messaging push notification service. In case your app is not yet using FCM or you're not familiar with it, you should check their docs.

Unenroll

If you want to delete an enrollment -for example if you want to disable MFA- you can make the following request:

guardian
        .delete(enrollment)
        .execute(); // or start(new Callback<> ...) asynchronously

Allow a login request

Once you have the enrollment in place, you will receive a FCM push notification every time the user has to validate his identity with MFA.

Guardian provides a method to parse the Map<String, String> data inside the RemoteMessage received from FCM and return a Notification instance ready to be used.

// at your FCM listener you receive a RemoteMessage
@Override
public void onMessageReceived(RemoteMessage message) {
    Notification notification = Guardian.parseNotification(message.getData());
    if (notification != null) {
        handleGuardianNotification(notification);
        return;
    }

    /* Handle other push notifications you might be using ... */
}

If the RemoteMessage you receive is not from a Guardian notification this method will return null, so you should always check before using it.

Once you have the notification instance, you can easily allow the authentication request by using the allow method. You'll also need the enrollment that you obtained previously. In case you have more than one enrollment, you'll have to find the one that has the same id as the notification (you can get the enrollment id with getEnrollmentId().

guardian
  .allow(notification, enrollment)
  .execute(); // or start(new Callback<> ...) asynchronously

Reject a login request

To deny an authentication request just call reject instead. You can also send a reject reason if you want. The reject reason will be available in the guardian logs.

guardian
  .reject(notification, enrollment) // or reject(notification, enrollment, reason)
  .execute(); // or start(new Callback<> ...) asynchronously

What is Auth0?

Auth0 helps you to:

  • Add authentication with multiple authentication sources, either social like Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce, among others, or enterprise identity systems like Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider.
  • Add authentication through more traditional username/password databases.
  • Add support for linking different user accounts with the same user.
  • Support for generating signed Json Web Tokens to call your APIs and flow the user identity securely.
  • Analytics of how, when and where users are logging in.
  • Pull data from other sources and add it to the user profile, through JavaScript rules.

Create a free account in Auth0

  1. Go to Auth0 and click Sign Up.
  2. Use Google, GitHub or Microsoft Account to login.

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Author

Auth0

License

This project is licensed under the MIT license. See the LICENSE file for more info.

guardian.android's People

Contributors

crew-security avatar damieng avatar hzalaz avatar ionutmanolache-okta avatar jayhelton avatar joseluisdiaz avatar lbalmaceda avatar nikolaseu avatar oleksandrozerov-okta avatar poovamraj avatar sebadoom avatar shadow-dahm avatar sre-57-opslevel[bot] avatar tslarson avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

groomea annahothai geekysrm y1026 jnpatel2811 jacobjust tslarson joseluisdiaz jamescgarrett isabella232 jayhelton shadow-dahm poovamraj ionutmanolache-okta taaqif guieco

guardian.android's Issues

cant enroll in sample app

Hi there,

I may be doing something silly here, but I've cloned the sample app and library, and can't get an enrolment to work.

When a barcode is scanned, the Guardian library performs a call to https://mytenantishere.guardian.auth0.com/api/enroll

This call always returns a 401 with "Missing authentication", error code invalid_token.

content-type: application/json; charset=utf-8
D/OkHttp: content-length: 104
www-authenticate: Ticket
D/OkHttp: {"statusCode":401,"error":"Unauthorized","message":"Missing authentication","errorCode":"invalid_token"}

Allowing/Rejecting always fails

As the title suggests allowing or rejecting a notification always fails with the following error:

GuardianException{{statusCode=401.0, error=Unauthorized, message=An error ocurred validating the challenge response token: jwt expired, errorCode=invalid_challenge}}

Not sure how to resolve this since the challenge is coming from the notification that I received.

Enroll Activity/Fragment

  • Choose the best: Activity will allow us to check for runtime permission, fragment will have to assume permissions are already handled by the activity from where it’s used.
  • Maybe have both? Fragment and an activity that uses the fragment and handles the runtime permission

Warning for using variant.getJavaCompile()

Getting a warning when using version 0.4.0

API 'variant.getJavaCompile()' is obsolete and has been replaced with 'variant.getJavaCompileProvider()'.
It will be removed at the end of 2019.
For more information, see https://d.android.com/r/tools/task-configuration-avoidance.
To determine what is calling variant.getJavaCompile(), use -Pandroid.debug.obsoleteApi=true on the command line to display a stack trace.
Affected Modules: guardian

Enroll flow helper

Just executing a method to perform an enroll and return an enrolled account

Allow/reject auth request

  • Allow login: Guardian.allow(notification, account)
  • Reject login: Guardian.reject(notification, account, reason?)

Can't enroll using sample app

Hi there,

I may be doing something silly here, but I've cloned the sample app and library, and can't get an enrolment to work. The tenant is configured with Guardian enabled and I've also entered the custom SNS settings for Amazon etc. I've also updated firebase configuration and the guardian.xml resource file with the tenant name.

When a barcode is scanned, the Guardian library performs a call to https://mytenantishere.guardian.auth0.com/api/enroll

This call always returns a 401 with "Missing authentication", error code invalid_token.

D/OkHttp: <-- 401 https://mytenanthere.auth0.com/api/enroll (843ms)
date: Fri, 06 Sep 2019 16:02:54 GMT
content-type: application/json; charset=utf-8
D/OkHttp: content-length: 104
www-authenticate: Ticket
cache-control: no-cache
D/OkHttp: {"statusCode":401,"error":"Unauthorized","message":"Missing authentication","errorCode":"invalid_token"}

Any ideas?

Enrollment fails

Enrolling (/api/enroll) fails in the Guardian sdk.

I get response:
HTTP Response: 401 (Unauthorised)
Message: Missing Authentication

File: Guardian.Android/guardian/src/main/java/com/auth0/android/guardian/sdk/GuardianAPIClient.java
Method: public GuardianAPIRequest<Map<String, Object>> enroll

Steps to reproduce:
Clone repo, set google api value, set auth0 base url, Gradle Sync, Build, Deploy, Scan a Barcode. {{ Error is displayed }}

API client methods

PATCH /api/device-accounts/{id} ..updateDeviceAccount
POST /api/enrollment-info ..getEnrollmentInfo
DELETE /device-accounts/{id}
POST /api/verify-otp ...allow
GET /api/tenant-info
POST /api/reject-login
GET /api/reject-reasons

Some Grammatical Issues in README.md

Hopefully this is not too petty, but I saw that there were quite a few commas missing in the README file. I would like to fix this if that's cool. :)

Update package names

Two modules:

  • guardian-sdk: api + abstraction non-ui
  • guardian-ui: ui components

Artifacts will be:

com.auth0.android:guardian-sdk
com.auth0.android:guardian-ui

Support for FCM HTTP V1 api

I am building an android native mobile application with Auth0 guardiun SDK for MFA with platform specific push notification.

The current solution does not provide a way to integrate new FCM V1 API.
When we configure MFA with platform specific push notification, on Auth0 config portal It is asking for legacy FCM server key(It is no more supported from FCM now).
image

There is no way we can config FCM V1 API or i do not found how to config MFA with FCM HTTP v1 API.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.