I'm developing a webapp+android app that has its own registration flow - simple authentication using email and password.
I easily integrated the facebook login from the website, following the second scheme in this page.
Now, I need to 1-click authenticate the Android application with facebook. The main point is that, after the Android app is authenticated, i need to send from my server some specific cookies that are needed for permissions checks when the user wants to do some operations.
The problem is that I cannot authenticate through the facebook token: from what i see, the token would work even if it was taken from another application, so I cant send private data trusting only the fb token (even if it was sent by SSL), since it could be another app pretending it's the user.
Is there any registration flow similar to the one above for authenticating android apps?
Or there is any advice to overcome this issue?
Ok, facebook has fixed this by deprecating the offline_token and providing a longer access token from the client. This Token can be validated server side against my app id and app secret with this new endpoint:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
so I can be sure about the user identity.
Related
I have an Android application that provides users to use it by their Facebook accounts. For this purpose, I have integrated Facebook login. However, I confused about the user registration by Facebook.
When the user logged in, Facebook provides userId, email and access token. I can use them to create an account for the user at my back-end. Let's demonstrate the scenario:
User comes first,
1- User logged-in by Facebook.
2- The email is checked by server and returns no such user
3- An account is created by the information from Facebook
4- The user keeps using the app with this account.
User comes again,
1- User logged-in by Facebook.
2- The email is checked by the server and returns that there exists a user.
In right here, here are the questions:
1- How can the server trust the request that it is from really Facebook so the server can respond to the app "he can log in"? To be sure, should I verify the access token by connecting to Facebook at server side too?
2- If not, how can a user be registered by using the Facebook login in a very safe way?
A similar question has been asked here, but there is no answer as a solution.
I have researched and finally decided to apply the following steps:
1- The app logins with Facebook and get access token, e-mail, name and userId.
2- The app connects to the API (the server side), sends the information gathered from Facebook
3- The server gets the access-token and verify it by using the following:
https://graph.facebook.com/me?access_token={ACCESS-TOKEN}
It returns the following:
{"name":"{USER-NAME}","id":"{USER-ID}"}
4- The servers checks whether the both user ids are same. If they are, it verifies the token is from Facebook and the information can be used for login/register.
5- The server checks whether the email/user id(fb id) exist at the system. If it doesn't, a user is created (the register process is trigged). If it does, login is set as success and the server returns the user information with access-token and refresh-token which are just generated.
6- The other operations are all performed by using those access and refresh tokens in the way of oAuth approach without connecting Facebook again.
Everytime the app is opened, AccessToken.getCurrentAccessToken() brings the access-token from Facebook. If it is null, user will see login screen. If it is not, the steps above will be applied.
Good Questions and Answers Related This Topic:
REST API for website which uses Facebook for authentication
Architecture Design - REST API to support Facebook Login done by Mobile app
About already existing users, merging operations, and data structure suggestions from Facebook itself :
Essential Guides of Facebook
Using Facebook Login with Existing Login Systems
I have a fully functional web app, where authentication was created using Passport. The application uses client-side, cookie-based session token. Basically, when a new session happens, the client's data is stored as Base64 AND signed client-side, so that the user cannot change it.
The login/pass mechanism obviously works 100% fine. Facebook, however, doesn't. The main issue is that in a web environment, the user is expected to get redirected to the Facebook page and which is passed the redirect URL to which the token is passed etc.
In a App environment, this doesn't happen: my (basic) understanding is that the client handles the whole oauth mechanism, and it is meant to provide the server with the userID and auth token -- which must then be checked by the server using a Facebook API.
So... is there a known "path" to go from "Web based Facebook login using passport" to "App based Facebook login using passport"? Or shall I not bother with Passport at all for the app side of things?
I'm making an Android app that authenticates users via the Facebook SDK. However I also need to authenticate to a remote server in order to pull in new data for this user.
What's the best way to do this?
Should I send the Facebook token to the remote server, then on the server use this to verify it's a valid token for this user and thus confirm the user's identity?
Should I do the previous, but generate and send back my own token for the user to use in the future?
If I later add Google authentication would something like this also work?
Thanks!
IMO, the best way would be
Authenticate user to Facebook from Android application
Get the FB auth token to the android app
Forward the authentication token & facebook UID from Android to web server
On web server, make Facebook API call with the submitted token, to verify the user
I am creating an Android app that uses Facebook SSO to login and I'm not sure how to authenticate with my own webservices after I login to FB. When a user first opens my app they login to Facebook, authorize my application some privileges, and continue into my app. This part works great, but now to use my app they need to create an account on my server and talk to my webservices.
Right now I have a call to an authenticate webservice on my server that adds their Facebook ID and other basic info into a database and at the same time does a Diffie–Hellman key exchange so any future calls to webservices can be encrypted by a shared key. But the problem is that very first initial call to create this account and create this shared key, how do I authenticate that? How do I know this person is really the one who just authenticated with Facebook and not just someone who found the URL for my webservice and is creating accounts and saving the keys?
Facebook SSO returns an access token. If you'd like, you can pass that along to your server and your server can make a call to the Facebook APIs to check that it's a valid access token for that user (eg by calling https://graph.facebook.com/me?access_token=ACCESS_TOKEN) -- if it is, you're good and have verified that the user is who they say they are (or is a hacker with enough access to have a valid auth token for your app for Facebook, at which point their identity has been compromised on Facebook's end).
I think you have to pass a password along with your basic info upon profile creation. All in all, the Facebook SSO only gives your client application the right to access the profile user, but it does not garantee your web services that the caller is the actual owner of this FB account. I am afraid that subsequent calls from the Android client to the web service needs to be authenticated via a normal user/name password ( different from the FB account ) if you want to be sure that the caller is the one who retrieved the key the first time ( no matter what Facebook profile he might be linked to ).
Is there any free single-signon mechanism for Android that gracefully works with non-webapps? Say, something along the lines of...
You launch my app and use it until it makes a request from the app server that requires authentication. It responds to that request with a random token that the server will associate with you for a short time.
The app presents you with a username field, a password field, and a submit button.
You enter your username and password. The app then forwards your username and hashed password, along with the token generated by the app server, to the login service.
The login service determines whether or not your username and password are valid. If they are, it digitally timestamps and signs the token, and returns the signed token to the app.
The app relays the signed token to the server.
The server checks the signature, satisfies itself that it's valid and signed by an authority it trusts, and proceeds as though the user had presented IT with a valid local username and password instead.
I suspect I'm just getting lost in nomenclature, but the impression I've gotten so far is that all the usual SSO providers -- Twitter, Facebook, etc -- only allow users to log in using a normal browser, and that you're either not allowed to do what I described, or they do something to make it effectively impossible with anything besides a normal browser (like dynamically creating the login form via Javascript in an effort to prevent developers from trying to use their own apps as a login facade).
Alternatively, does there exist any workflow like THIS...
You launch my app and use it until the web service requires you to log in. The app server generates a token and returns it to the app.
The app spawns a new browser via intent that sends you to the login provider's web site, passing the token via intent to the browser (and ultimately the provider) as a POSTed formvar.
You log in using the browser window, and the browser window closes -- returning you to my app.
The login provider signs the token, then sends it directly to my app server via HTTP POST so I can note its submission, verify the cert, and treat it as though it were instead a valid username and password submitted directly by the user to the app server himself.
Have you tried or think of using Firebase? https://firebase.google.com/docs/auth/?hl=es-419
It has some useful tools, you can sign-in with multiple social connectors and user/password as well, and they provide a library to integrate the whole UI and server flow, they even take advantage of google smart lock for you.
Take a look at https://github.com/firebase/FirebaseUI-Android I used it in a personal project and saved me a lot of time.
What you described in Alternatively section looks like Authorization Code using Proof Key for Code Exchange (PKCE) OAuth 2.0 grant
https://www.rfc-editor.org/rfc/rfc7636
The flow is the following:
Your app generates a random key (code_verifier) and it's transformed value (code_challenge) and navigates to authorization server with code_challenge as a parameter
Authorization server redirects back to your app with authorization code
Your app sends authorization_code and the code_verifier to the auth server to get the authorization token
Server uses authorization_code and the code_verifier (it already has code_challenge, so it can verify that code_verifier is correct) and then returns to your app with the token.
On the practical side of it you can use something like Auth0 to implement it in your app.
Use Android Account Manager for SSO.
Providing references below just for knowledge. You have to dig into account manager.
Android developer: https://developer.android.com/training/id-auth
Blog with example: https://www.zoftino.com/android-account-manager-&-create-custom-account-type