I am building an Android app for a website that uses FB connect to link their user data with FB user data by FB id. When I allow the user to log in via Facebook's Android SDK, I get an access token for which I can request data on the user's behalf. I would like to send the access token to the server and have the server then request the user's id to create a local session and send me back the user data specific to this website. Does Facebook allow the access token to be used in this way (authenticate from device and then request data from the server with the same token)? The alternative is to use the SDK on the device to get the FB user id and then pass that to the server, but I feel it's not very secure to allow a session to be created with just a FB user id. This would be an easy thing to impersonate.
What is the typical scenario for this use case (log in via Facebook SDK to create a session on your own web app where the user data is already linked)?
Yes, this is allowed by FB. See below:
https://developers.facebook.com/docs/facebook-login/access-tokens/#architecture
As noted above, access tokens are portable. This means that once you
obtain a token, you can generally use it from any machine - server,
client or otherwise.
Related
I have an andorid app and i am trying to implement linkedIn login in it.
LinkedIn SDK has been successfully integrated and i am getting user information as well along with the email address.
Here is how my application works for google login :
1) get access token on mobile
2) send email address with access token to server
3) fetch details of users with access token i received via webapi of google.
4) if the response email matches with the email received from mobile device then check for account exists or not of that email address . If not create account and login other wise login.
Problem with linkedIn :
The access token i have received belongs to mobile sdk and i cannot use the same token to make REST API request. (as per documentation)
Mobile vs. server-side access tokens
It is important to note that access tokens that are acquired via the
Mobile SDK are only useable with the Mobile SDK, and cannot be used to
make server-side REST API calls.
Similarly, access tokens that you already have stored from your users
that authenticated using a server-side REST API call will not work
with the Mobile SDK.
So how to verify details in step 3) i mentioned above on my webserver ?
Is It a disaster ?
I am sure there has to be a way to do what i am trying to do, as there are many applications which let their users login through linkedin on their mobile apps.
Because if its not possible then anyone can easily change the email address the mobile app is sending to webserver after receiving from linkedin and i can login with any email address i want by doing that.
Like you said, you can't do it.
Instead you have to use a different approach, get the required info on the device, returned by LinkedIn and send it to your server. Use HTTPs connections to avoid MITM attacks.
If you app is downloaded from official information shouldn't be modified on device.
ANOTHER SECURITY MECHANISMS:
If you want more security, you could for example encrypt data on server, send HASH to mobile, use your LinkedIn token to consult information and with another algorithm compare that data received is the same.
But I think that this a too expensive mechanism that should be resolved only using HTTPS connections and not downloading the APK from non official stores.
The docs state clearly that you can't use the AccessToken obtained from the Android SDK to make your own REST API calls.
However there's a way to make REST API calls with the mobile SDK, check the Making
Authenticated REST API calls
from here: https://developer.linkedin.com/docs/android-sdk
If you want to retrieve the user profile info, you'll have to do it using the mobile SDK.
I would like to create an app in which there is a mobile (Android) client which uses REST API from the server. A user has to login with Facebook account (using Facebook SDK's LoginButton); on success this should create a user account on the server at the first log in.
I've already read a lot of tutorials about how to secure HTTP API using SSL and access tokens, but there is one point which I don't get. The flow should look like this:
a user log in on the Android app with the Facebook LoginButton
in the Android app I receive an access token on successful log in which I can push to the server
I can validate this access token against Graph API
if validation in 3. is succesful I can create a user account on the server
all other calls to my server API can be secured with received access token or other token which would be created by me
but what about the 2. point? I have to expose API call which takes an access token and creates an account. This API call won't be secured, so if someone calls it with stolen/properly fabricated access token, then I will create an account which shouldn't exist. How to solve this? Do I have to assume that if my create account API is called with an access token which is valid (because I validate it in 3.) then everything is ok? Is there a better solution?
You are right, never trust the client. Always validate all client input again on the server.
In your case, you're validation of the token on the server in Step 3 should include comparing the result from Graph API with the result from decrypting the user info from the token. If both match, then proceed.
There are several code examples on Facebook website on how to do this correctly. They are available in several server languages (e.g. PHP) so I recommend reviewing them.
I'm making an Android app that authenticates users via the Facebook SDK. However I also need to authenticate to a remote server in order to pull in new data for this user.
What's the best way to do this?
Should I send the Facebook token to the remote server, then on the server use this to verify it's a valid token for this user and thus confirm the user's identity?
Should I do the previous, but generate and send back my own token for the user to use in the future?
If I later add Google authentication would something like this also work?
Thanks!
IMO, the best way would be
Authenticate user to Facebook from Android application
Get the FB auth token to the android app
Forward the authentication token & facebook UID from Android to web server
On web server, make Facebook API call with the submitted token, to verify the user
The only login option in my android application is login via Facebook. I would like to use Web service (ASMX) and on each request the server must validate that the user is authenticated via facebook. I found a solution:
1) Authenticate user to Facebook from Android application
2) Get the FB auth token to the android app
3) Forward the authentication token & facebook UID from Android to web server
4) On web server, make
Facebook API call with the submitted token.
If the Facebook API call from web server returns valid authentication,
and the user id is equal to the one submitted by Android application,
your server can trust the id (& you can be sure that the Android
authentication real)
Link
My questions are:
Do I have to send the facebook user id and token each time when I send request to the web service? Or use a cookie (if that is possible)
Do I have to register the web service as a facebook application? I found this:
C# Facebook SDK Getting Started
Your solution looks good. Actually, the only thing Android client needs to pass to web service is authentication token. With that authentication token you can do anything, of course with the permissions user granted. So, the Android client must ask user for the permissions your web service will use.
For your 2 questions:
No. You should send FB authentication token one time only. After web server can retrieve user's info from FB, you can save these info to DB (within a simple User model) and then create session with your own authentication engine (cookies, API token, etc.)
No. You don't need to register the web service as a FB app. As I mentioned above, with FB authentication token you can do many things. You can also see the Facebook Graph API
I'm developing an Android app as well as a website (that does have communication with the Android client as well). I want to use FB login, but the problem I see is this:
Client, Use FB login and then gets an access_token.
How does Client and Web Server communicate just using this access_code since the Web Server needs to know which account the Client is referring to. I also want to implement FB login on the web site as well.
One method I was thinking was:
Client Login:
1) Use FB login and get access_token.
2) Use access_token to get some User info.
3) Give access_token and User info to web server.
4) Web server also performs the same FB operation with the access_token and retrieves the User info.
5) Validate the User info matches and determine the user account based on that.
6) Establish another access_token between Client and Web Server for this link.
Does this even make it any more valid or perhaps just doing the login and retrieving the user email address as the actual account and tell the Web Server this is the account to use.
Or has someone done this in another way?
For the communication between your client/server you should use your own client Id.
Don't relay on the access_token facebook gives you because it changed in several scenarios.
Getting the email is also not a full solution because users can decide not to give you their mail.
In general you need to implement Facebook Connect on both sides.
1.Connect to facebook
2.Get permissions from the user (read about permissions here: http://developers.facebook.com/docs/reference/api/permissions/)
3.Register it as your user and give him an id (you can use facebook uid if you want).
When the user returns to your site/app you need to login him again, get his uid and query your server for the user details.
One thing about the access_token, you need it to query facebook's api. you can get it from facebook every time a user login to your site/mobile using facebook or you can request the user for offline_access permission and then you'll have the same access_token until the user changes their password at facebook etc. (read more about it on the docs).
This method allows you to query facebook api's although the user isn't currently logged in to your site.