I have a more structural question about designing a connection between an app (android) and a server (rails-api gem) using json. It should use facebook as authentication and afterwards handles the connection flow via a token.
My planned solution looks like this:
I'm planning to use the facebook sdk (client side), to get a facebook access token.
a) Should I use client side? I am considering it, because the request would not be done by my server. But is the access token trustworthy?
Afterwards I send the access token to my server and check it with the facebook graph api
If the token is correct, I create a new user with the information from the facebook graph api
Next I use doorkeeper for creating a oauth provider. The client gets an oauth2 access token which he uses to communicate with the server…
a) Should I use another authentication gem? Or should I use the facebook access token as normal authentication token?
b) I am not sure if I should use doorkeeper or devise. Is doorkeeper enough? I read somewhere that u should use doorkeeper for apis and devise for normal websites.
c) I don’t get the implicit grant stuff from oauth2. Should I consider it here?
Thanks for our help :)
Related
We're building mobile apps (iOS and Android) that require a REST API backend and integration with Facebook for authentication.
I'm still confused on what is the best architecture design for this kind of use case.
Main Question: Who is responsible for authenticating/authorizing with Facebook, client or server?
Option A: Client authenticates to FB. Client sends requests using the token it received from Facebook. Server uses that token to identify the user.
Option B: Server authenticates to FB in behalf of the client.
Additional notes (may be relevant or not):
I'm developing the REST API part using Django.
The app will need access to the user's Facebook friends so we can invite them to use the app.
You should go with option A.
Authenticate with the client. Then you will receive an access token.
Send this token to the server.
Now you can create a user, fetch FB friends, and all other you might need.
If you are using django-rest-framework, you should have a look at the django-rest-auth package. It handles user login/creation on the server side using the access token.
https://django-rest-auth.readthedocs.org/en/latest/installation.html#social-authentication-optional
You can take a look at the Facebook SDK for Python, it should tell you how to incorporate it into your app and it shows how to integrate with a few frameworks here (Flask being similar to django for this).
Facebook will be doing the authentication on their side, not you, though you may want to store the user's token in a database.
I would like to create an app in which there is a mobile (Android) client which uses REST API from the server. A user has to login with Facebook account (using Facebook SDK's LoginButton); on success this should create a user account on the server at the first log in.
I've already read a lot of tutorials about how to secure HTTP API using SSL and access tokens, but there is one point which I don't get. The flow should look like this:
a user log in on the Android app with the Facebook LoginButton
in the Android app I receive an access token on successful log in which I can push to the server
I can validate this access token against Graph API
if validation in 3. is succesful I can create a user account on the server
all other calls to my server API can be secured with received access token or other token which would be created by me
but what about the 2. point? I have to expose API call which takes an access token and creates an account. This API call won't be secured, so if someone calls it with stolen/properly fabricated access token, then I will create an account which shouldn't exist. How to solve this? Do I have to assume that if my create account API is called with an access token which is valid (because I validate it in 3.) then everything is ok? Is there a better solution?
You are right, never trust the client. Always validate all client input again on the server.
In your case, you're validation of the token on the server in Step 3 should include comparing the result from Graph API with the result from decrypting the user info from the token. If both match, then proceed.
There are several code examples on Facebook website on how to do this correctly. They are available in several server languages (e.g. PHP) so I recommend reviewing them.
I am having trouble wrapping my head around the following:
Android app with a Facebook login
NodeJS (Hapi.js) server backend
In the past I was using a simple username password system that made it very easy to create a server side session and authenticate server requests (for example: get all users that are within 50 km of me). I removed that system and chose for a Facebook login in the android app because it will help decrease some of the load (for example: we don't need to store our own images...).
The problem is that I am not sure how to handle server side authentication. All GET's, POST's,... can only be done by users that are also logging in on my Android app using the Facebook integration.
I found the following topics already on Stackoverflow:
Facebook authentication to my server using Android
Provide secure Facebook authentication with my Server
I just want an updated opinion on the matter, is it secure enough to just send the token to my node server and make a Facebook API call using it to check for a valid authentication?
If there is a better approach please share it! Thanks in advance.
Yes, it is secure enough to send Access Token to your server and make an API call to Facebook for validating that Access Token. AFIK this is the Best approach.
I develop a web application with nodeJs. Most of the functions auth protected. I use Oauth2 (Google, Twitter) to authorize users to use the application.
I must create an Android application, what communicate with my backend over http after the user authenticated with Google account in the Android app.
What is the best practice for that?
I think OAuth2 would be good for this job. But how?
you can't really use oauth in this case. as this How can I verify a Google authentication API access token? explains, you should not share authentications.
Instead, you should have your mobile app use a separate authentication for backend requests. You could have them login once, generate some secret token you can store in the phone so they don't need to login each time. That token is protected by the google login anyway.
You might want to consider using PassportJS (in case you are using ExpressJS as your web application framework).
New to OAuth2. I am writing an Android app that communicates with an App engine server application.
The app needs to authenticate itself with the server on behalf of the user, using Google account info of the user. The server needs to retrieve the user's basic info and create an account . That's the easy part and I know how to do this.
Furthermore, the Android app will also have the user authenticate himself/herself using Oauth2 and retrieve basic user info using Google account info of the user. I can do this as well.
This is where I need help Assuming the previous steps have been completed successfully, how can I use the Android app (where the user has logged in) to communicate with the server securely using the user's credentials.
Any ideas or am I missing something obvious?
The Android to App Engine OAuth2 communication is documented in this answer:
google app engine oauth2 provider
Using OAuth, 1.0 or 2.0, doesn’t matter in this, leads to the app obtaining an access token - then based on the API of your server, you pass this access token with requests instead of login and password. I guess the way to attach the access token string to URL requests may be slightly different between different APIs, see the documentation for yourself. Or if you are making the server app at the same time, then you need to figure out your way to do so (like sending a HTTP header Authorization: OAuth access_token=abcdefgh….