I was reading this post here among others. I have an iOS app which connects to a LoopbackJS API. Users can register manually but I also want to allow Facebook authentication. I added the Facebook SDK and I can get a token and all that, but...
1) What is the best, most secure way to authenticate them with my existing API?
2) Do I use their Facebook information to create an account?
3) If so what do I use as the password?
4) Sites like Tinder don't ask me to add my own password, what are they doing? Storing some version of my token as the password in their API?
Loopback has Passport built in but the documentation is terrible and confusing and I am having a lot of trouble getting it to work with the iOS Facebook SDK.
Related
I am currently building an API for my native App and want to implement the OAuth 2.0 protocol for authentication. If I take a look at companies like Instagram, Facebook or Twitter I wonder how they are handling the authentication process of their own native App (not third-party).
So Instagram for example is using the OAuth 2.0 protocol to protect their API endpoints (here). Related to their developer platform they offer you - as a third-party developer - the possibility to use their API and authenticate your own App via Server-side (Explicit) or Implicit flow. All of these flows require the user to authenticate via an In-App browser (or system browser).
Like I said before, I am wondering how these Apps are handling the authentication in their own Apps. The user doesn't get redirected to any browser to authenticate. They could use the Explicit flow and store the client_id and client_secret for example in Keychain (iOS). But Instagram is telling third-party developers "You should never pass or store your client_id secret onto a client. For these situations there is the Implicit Authentication Flow.".
I don't want the user to get redirected in my own App. The user should be able to use a login/signup form within the native App.
Does anyone have an idea or insides on how Instagram etc. are doing it? I am really curious and appreciate any helpful answer. :)
I'm writing an API for our product and I'm trying to understand how some basic OAuth works with regards to mobile apps that might leverage our (to be created) api.
Lets imagine that our website currently allows a person to LogIn to our site via Twitter OAuth.
On the callback from Twitter, our server retrieves the twitter OAuth result and if all good, then checks to see
if this user already exists in our DB (eg. lets assume the Email is the unique key). If they don't exist, we
create a new user.
Of course, we then log the user 'in', which means we create a cookie for them, for their browser.
So far - nothing new here. All normal stuff.
Now .. if we want to do this via an iPhone or Windows phone using their native language and the app's use our API, i'm not sure of the point where OAuth ends and our API takes over?
For example, lets pretend it's an iPhone app that takes advantage of our API.
The iPhone app will try to authenticate the user against their Twitter cred's. Ok, fine. But when it callsback, it's back in the phone, right? Not our servers. So then the app needs to try and create a new user? So then the iPhone might try and call /api/CreateAccount. But this means -anyone- can call this api? And how does the website really know they have authenticated? Only because the app says so? What's to stop the person from creating a malicious app and calling our API by flooding it with new account creations? And what about authentication to api resources? Forms Authentication isn't available here. So do people use querystring authentication over SSL for api calls? How does the iphone authenticate with -our- server?
I'm so confused.
Can anyone please explain the differences and common practices people are doing these days when they have a website and an api .. and use OAuth as the authentication mechanism, please?
The naive app would call not CreateAccount, but VerifyAccount with twitter's oauth set of data so you site and API could verify it. The site would respond with a unique userID and your iOS app would use that as it's internal user id. More info.
Are services like Facebook and twitter using the same oAuth mechanism for their own (mobile) apps as the rest of us? Or are the using some kind of "special mode" in oAuth which bypasses the permissions stuff etc. ?
Would really like to know how they are authenticating their users.
Facebook is not using oauth and have special login/private API for their own purposes. Only Facebook is 1st class citizen for these APIs and they don't need to bother with public APIs.
Facebook's iPhone,Android,etc apps can log users in directly with username and password and create a new Facebook session directly, but other apps using the API need to use Oauth to get a user access token
If you're using android or iphone SDKs, this can be without the user needing to log in again, they simply need to authorise the app in a dialog, which is rendered by the Facebook app and uses the session created by the Facebook-supplied app
yes, they use oAuth
Twitter oAuth
Facebook oAuth
Facebook Connect is based on OAuth 2.0. In OAuth 2.0. SSL is required while signatures are not required for the actual API calls once the token has been generated. It has only one security token.
Twitter uses 1.0a. OAuth 1.0 requires client to send two security tokens for each API call, and use both to generate the signature.
hello everyone i am new bie in iphone development i want to connect to linkedin from my native iphone application i am currently having no idea how to connect to it please guide me how could i do that
From http://www.zhangkf.com/2010/06/linkedin-developer-network-oauth-authentication/:
Yes you can get connected with Linedin withyour Native Application by
following simple steps:
You get an API key from LinkedIn. This is also called a Consumer Key in OAuth terminology.
You build a feature into your site that leverages the user's LinkedIn network.
Your user clicks on your UI to request to use that feature.
You make a call to LinkedIn to ask to use our authentication. This is called getting a Request Token.
LinkedIn replies with an OAuth Token indicating that you can use the authentication system.
You send your user to a LinkedIn URL. That URL includes the OAuth Token you got and a few other parameters such as a URL for LinkedIn to
return the user to after granting access.
The user grants access to your application by signing into that page.
Upon successful signon, LinkedIn will return the user to your site.
You will then make a call to LinkedIn to get an Access Token.
LinkedIn replies with an Access Token for the user. You use that Access Token for any API calls to LinkedIn to identify the user on
whose behalf you are making the call.
Or
Download the Code from here,you could get it.Just Provide your API Key and Secrete Key
http://github.com/ResultsDirect/LinkedIn-iPhone
Or see this for details:
http://developer.linkedin.com/docs/DOC-1008
This sample is 100% complete and working, just add your app key.
Built with the latest XCode 4.01.
Uses a UIWebView so you have the option of customizing the browser UI.
Uses JSON instead of XML, which is the preferred best practice for most cases
OAuth is heavily documented so you know what's happening
Tested with iPhone 4, iPad 1, and the simulator on iOS 4.x.
http://lee.hdgreetings.com/2011/03/iphone-oauth.html
Firstly I understand OpenId is for authentication and OAuth is for authorisation and unlike other questions on the site I am not asking which should be used for which but whether anyone can advise a solution for my issue.
I want to allow users to login to my site via their LinkedIn/Twitter/Facebook account once logged in say via LinkedIn they could also then authorise their Twitter and Facebook account as a optional login method. This would allow the user to authenticate via any of the three but end up with their user account on my site as the end result.
I also want to use the authorisation they have provided to get basic user details (profile pic/name etc) and post status updates.
I don't want to ask a user to login with their account via openId then have to authorise the same account again via oauth to allow my site to publish to their service feed and have to do this for each of the 3 services.
Any ideas or issues to this issue?
If you are using ASP.NET MVC, DotNetOpenAuth is an excellent solution for supporting OpenID/OAuth sites. StackOverflow is using it, and they are quite picky for the code they use in the site.
The integration if OpenID with DotNetOpenAuth is quite straightforward. I have not tried OAuth, but I don't expect it to be of any less quality.
Unfortunately, Facebook does not support OpenID/OAuth, so you need to use a different solution for it. The one I use is Clarity Consulting's Facebook Developer Toolkit. It works, although I do have certain complaints about the quality of the code; unfortunately I haven't found anything better yet. (Note: If anyone knows a better alternative, by all means let me know)
The basic integration of Facebook Connect with the Facebook Developer Toolkit is also relatively straightforward. However, their object model is somewhat messed up, due to their attempt to stay as close to the Facebook APIs, so the HTTP API patterns are bleeding through a lot. Still, it does the work.
Update: Now that Facebook announced that they'll be supporting OAuth 2.0, DotNetOpenAuth might turn out to be the best solution.
Have you looked into RPX?
https://rpxnow.com/
I don't want to ask a user to login with their account via openId then have to authorise the same account again via oauth to allow my site to publish to their service feed and have to do this for each of the 3 services.
I'm afraid you'll have to connect the user's account to each of the 3 services individually. What platform are you using to build your app? If it's Ruby, then a gem like OmniAuth looks promising.