I am using ASP.NET WEB API 2.2 framework for my service layer. Individual accounts and external Facebook login features are enabled. And i try to use this restful service from my Android native application.
My first question is how can i use current authenticated facebook account at mobile device for my login mechanism. How can i get current logged in Facebook user and his/her datas like profile picture, finally send these datas to the restful service.
Second one is: if user is not authenticated in Facebook at his/her mobile device, should i redirect to Facebook login page. If yes, how can manage this workflow processes(open facebook user enters username and password, after logged in redirecting to my own native application, etc.).
In terms of service later(or web browser cookie authentication) there is no problem for Facebook authentication. However, there is lack of information, tutorials for Android Native Application login through Facebook.
Using Facebook Authentication in Android can be tackled by importing the Facebook SDK in our Android Project. After completing this import process, Facebook SDK now can supply access token.
However, there is not much enough tutorial, how can we use this Facebook access token for getting Owin bearer token from our ASP.NET WEB API 2.2 system.
In ASP.NET WEB API 2.2 template's apiaccountcontroller class there is lots of methods, how can we use them properly?
Related
I am building an Android App that requires users to log-in by their Facebook (so we can get their profile picture and albums). It works great by using the Android Facebook API. After I get the access token from the API, I can get the information that I want and also post feeds/photos by the App.
However, I now need to build the remote function for this App as well, which means the App should talk to our server for managing his own information and fetch other information.
I plan to manage users in our server by also the Facebook API. Specifically, I am using .net + Facebook authentication:
.net Facebook authentication
It works ok. Basically, when people(or my App) visit the url on our server, a response from Facebook will ask user to log-in and then my server can get user's identity.
My problem is, in this case, the users seem to handle the log-in "twice" (one for Android Facebook API and one for remote server Facebook API). Is there any way that I can just do it once? For example, once I get the "access token" by the Android Facebook API, can I pass that "access token" to my remote server (maybe via the post header?), and then my server will be able to talk to Facebook via the same log-in identify. (I prefer using the Android SDK because it allows users to skip entering the password if the user has the Facebook app installed)
I am wondering if anyone can give me some suggestions to achieve this function. I notice there is something called "JWT Bearer Token" seems fit my need but I am still looking for tutorials of using this with Facebook API.
We're building mobile apps (iOS and Android) that require a REST API backend and integration with Facebook for authentication.
I'm still confused on what is the best architecture design for this kind of use case.
Main Question: Who is responsible for authenticating/authorizing with Facebook, client or server?
Option A: Client authenticates to FB. Client sends requests using the token it received from Facebook. Server uses that token to identify the user.
Option B: Server authenticates to FB in behalf of the client.
Additional notes (may be relevant or not):
I'm developing the REST API part using Django.
The app will need access to the user's Facebook friends so we can invite them to use the app.
You should go with option A.
Authenticate with the client. Then you will receive an access token.
Send this token to the server.
Now you can create a user, fetch FB friends, and all other you might need.
If you are using django-rest-framework, you should have a look at the django-rest-auth package. It handles user login/creation on the server side using the access token.
https://django-rest-auth.readthedocs.org/en/latest/installation.html#social-authentication-optional
You can take a look at the Facebook SDK for Python, it should tell you how to incorporate it into your app and it shows how to integrate with a few frameworks here (Flask being similar to django for this).
Facebook will be doing the authentication on their side, not you, though you may want to store the user's token in a database.
Here is our setup:
1) a Web Api project with ASP.NET Identity 2.0 with external login support for Facebook.
2)A native iOS App and a native Android App
We are using the appid and secret in the web api and the identity Facebook authorization options. and using web views to do the login process for Facebook. However, we are also, after the user is authenticated, allowing them to share different pieces of the application to Facebook. Currently, the website shows the scope of publish_actions, user_videos and user_photos.
Facebook is telling us that custom web views are not okay, and that we have to use the native SDK's on all of them. What's the purpose of identity providing the ability to utilize getting external accounts and access tokens if you can't even use them on a mobile app? All of our code that does the sharing process happens on the actual controllers in the web api project. We display a popup that allows the user to enter the text that gets posted, just as Facebook describes.
How can we submit a Facebook App that will explain to them that the website is the actual application that utilizes the Facebook actions we are requesting?
Is this even possible? if not, why is the technology even available to allow external logins via an api, when you'd most likely be using it to service a native mobile client??
Thanks for the help,
Brent
My Android application uses Facebook Android SDK to create the FB Login button and also allow users to log in using their username and password.
So my question is, how can I authenticate and authorize these users on my ASP.Net Web API on each call?
I'm currently developing a web application with Spring Social and Spring Security. In the web application, specific users can signin on Facebook with ProviderSignInController. When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too. This concept is adapted from the spring-social-showcase. Spring Social then enables authenticated users to create Events, which are also created on a facebook page.
Now i want to write a android app which enables users to post to my guestbook and view/create events via my web application. My question now is how to realize the signin from my andoid app. On my web application, a UsersConnectionRepository maps facebook accounts to local accounts. Can i simply reuse this data and signin from my android app in the exact same way as from the web application?
ProviderSignInController adds a path mapping for http://_webapp_/signin/facebook which redirects to a facebook signin page. Can this simply be done with a WebView on android?
Looking on the spring-android-facebook-client im confused. This example seems to manually manage the OAuth authentication. But i havent figured out yet, whether this is the way to go or just another possibility to implement it, when there is no other web application in the background that already manages the authentication.
Any feedback is welcome. Thanks.
Jeyp
Now i want to write a android app which enables users to post to my
guestbook and view/create events via my web application.
The Android client will need a method to sign in to your web application in order to post to a secured RESTful endpoint, and OAuth is a good method for doing this. Spring Security OAuth is an extension of Spring Security that can allow third party mobile or web clients to interact with your web site.
Once you have an OAuth server configured, you can create a custom provider using Spring Social within your Android client to establish an OAuth connection to your web site. Your users will authenticate to your web site with their local credentials in this case. Once connected, your Android app can then post events to RESTful endpoints within your web site, again using your custom Spring Social API bindings.
In this scenario, your users do not authenticate to Facebook from the Android application. This assumes they have already established an account and a connection to Facebook on your web site. And in fact, this is how the SpringSource Greenhouse reference application works.
This brings us back to a previous part of your question:
When staff members authenticate with FB successfully, they are programatically signed in for my local webapp with Spring Security, too.
If I understand correctly, you are asking to authorize your Android client to access your third-party web site, with Facebook credentials. While this is certainly possible, it is not currently supported through Spring Social and Spring for Android.
Another option is to consider a mobile version of your web site. That way Android and other mobile devices can then simply sign in to your site just like from a normal browser, using their Facebook credentials. The UI would be more appropriate for mobile devices, and it would eliminate the extra complexity of an additional OAuth server/client configuration.
And finally, to address the last part of your question. This is really a separate issue from the previous parts:
This example seems to manually manage the OAuth authentication.
The primary issue is that Spring Social does not yet support Resource Owner Credentials Grant (ROCG). The addition of this feature would simplify the process of obtaining an access token for Facebook on Android, because you would not have to deal with a browser redirection. See this Spring Social issue for more information.
Because of the lack of ROCG, the Spring for Android sample app is illustrating one method for obtaining the access token using Spring Social. In this case, it is a modified version of the client-side authentication flow. For reference, Facebook has a helpful page describing all the available authentication methods. The webview redirects to a url after successful authentication, at which point the app is able to retrieve the access token from this url.
SpringSource is discussing how to simplify authentication and improve this part of the integration between Spring Social and Spring for Android in future releases.