We're building mobile apps (iOS and Android) that require a REST API backend and integration with Facebook for authentication.
I'm still confused on what is the best architecture design for this kind of use case.
Main Question: Who is responsible for authenticating/authorizing with Facebook, client or server?
Option A: Client authenticates to FB. Client sends requests using the token it received from Facebook. Server uses that token to identify the user.
Option B: Server authenticates to FB in behalf of the client.
Additional notes (may be relevant or not):
I'm developing the REST API part using Django.
The app will need access to the user's Facebook friends so we can invite them to use the app.
You should go with option A.
Authenticate with the client. Then you will receive an access token.
Send this token to the server.
Now you can create a user, fetch FB friends, and all other you might need.
If you are using django-rest-framework, you should have a look at the django-rest-auth package. It handles user login/creation on the server side using the access token.
https://django-rest-auth.readthedocs.org/en/latest/installation.html#social-authentication-optional
You can take a look at the Facebook SDK for Python, it should tell you how to incorporate it into your app and it shows how to integrate with a few frameworks here (Flask being similar to django for this).
Facebook will be doing the authentication on their side, not you, though you may want to store the user's token in a database.
Related
I am building an Android App that requires users to log-in by their Facebook (so we can get their profile picture and albums). It works great by using the Android Facebook API. After I get the access token from the API, I can get the information that I want and also post feeds/photos by the App.
However, I now need to build the remote function for this App as well, which means the App should talk to our server for managing his own information and fetch other information.
I plan to manage users in our server by also the Facebook API. Specifically, I am using .net + Facebook authentication:
.net Facebook authentication
It works ok. Basically, when people(or my App) visit the url on our server, a response from Facebook will ask user to log-in and then my server can get user's identity.
My problem is, in this case, the users seem to handle the log-in "twice" (one for Android Facebook API and one for remote server Facebook API). Is there any way that I can just do it once? For example, once I get the "access token" by the Android Facebook API, can I pass that "access token" to my remote server (maybe via the post header?), and then my server will be able to talk to Facebook via the same log-in identify. (I prefer using the Android SDK because it allows users to skip entering the password if the user has the Facebook app installed)
I am wondering if anyone can give me some suggestions to achieve this function. I notice there is something called "JWT Bearer Token" seems fit my need but I am still looking for tutorials of using this with Facebook API.
I really want to know authentication about android..
I want to know about 2 case authentication (just android application login, android application login and web application login)
just android application
When i signed in sns like facebook or twitter, I got token and send it to server.
app and web
What if already have ID with sns in web application, what should i do?
Application sign in and got token. And next, send token to server and authenticate in server?
A lot of applications use token based authentication, where server is separated from the whole application, which e.g. allows to use one restful api for many services like mobile app and web app.
Basically it works this way, that first user sends his login and password through secured connection to your server, and then the server generates a token that allows user to get certain data from that server. Those tokens are made to expire after some time (for security reasons). You can read more about token based authentication, tokens, refresh tokens, json web token and similar things.
Here you have similar question on this topic, on stack overflow:
How do popular apps authenticate user requests from their mobile app to their server?
And here you have an overview of other types of authentication:
https://blog.risingstack.com/web-authentication-methods-explained/
I am having trouble wrapping my head around the following:
Android app with a Facebook login
NodeJS (Hapi.js) server backend
In the past I was using a simple username password system that made it very easy to create a server side session and authenticate server requests (for example: get all users that are within 50 km of me). I removed that system and chose for a Facebook login in the android app because it will help decrease some of the load (for example: we don't need to store our own images...).
The problem is that I am not sure how to handle server side authentication. All GET's, POST's,... can only be done by users that are also logging in on my Android app using the Facebook integration.
I found the following topics already on Stackoverflow:
Facebook authentication to my server using Android
Provide secure Facebook authentication with my Server
I just want an updated opinion on the matter, is it secure enough to just send the token to my node server and make a Facebook API call using it to check for a valid authentication?
If there is a better approach please share it! Thanks in advance.
Yes, it is secure enough to send Access Token to your server and make an API call to Facebook for validating that Access Token. AFIK this is the Best approach.
I have a more structural question about designing a connection between an app (android) and a server (rails-api gem) using json. It should use facebook as authentication and afterwards handles the connection flow via a token.
My planned solution looks like this:
I'm planning to use the facebook sdk (client side), to get a facebook access token.
a) Should I use client side? I am considering it, because the request would not be done by my server. But is the access token trustworthy?
Afterwards I send the access token to my server and check it with the facebook graph api
If the token is correct, I create a new user with the information from the facebook graph api
Next I use doorkeeper for creating a oauth provider. The client gets an oauth2 access token which he uses to communicate with the server…
a) Should I use another authentication gem? Or should I use the facebook access token as normal authentication token?
b) I am not sure if I should use doorkeeper or devise. Is doorkeeper enough? I read somewhere that u should use doorkeeper for apis and devise for normal websites.
c) I don’t get the implicit grant stuff from oauth2. Should I consider it here?
Thanks for our help :)
New to OAuth2. I am writing an Android app that communicates with an App engine server application.
The app needs to authenticate itself with the server on behalf of the user, using Google account info of the user. The server needs to retrieve the user's basic info and create an account . That's the easy part and I know how to do this.
Furthermore, the Android app will also have the user authenticate himself/herself using Oauth2 and retrieve basic user info using Google account info of the user. I can do this as well.
This is where I need help Assuming the previous steps have been completed successfully, how can I use the Android app (where the user has logged in) to communicate with the server securely using the user's credentials.
Any ideas or am I missing something obvious?
The Android to App Engine OAuth2 communication is documented in this answer:
google app engine oauth2 provider
Using OAuth, 1.0 or 2.0, doesn’t matter in this, leads to the app obtaining an access token - then based on the API of your server, you pass this access token with requests instead of login and password. I guess the way to attach the access token string to URL requests may be slightly different between different APIs, see the documentation for yourself. Or if you are making the server app at the same time, then you need to figure out your way to do so (like sending a HTTP header Authorization: OAuth access_token=abcdefgh….