I was wondering if user access tokens that are recieved through one platform can be used to access and make facebook calls through another.
For example:
I have a mobile app and a web server that work together. A user signs in through facebook on the mobile app(through single-sign-on). The user then uses the mobile app in a way that an internal service requires that an external service call to facebook is necessary. The internal services relays this to the web server, and the web server makes the actual call to facebook.
Work flow:
User signs into mobile app
mobile app sends user access token + service call needed to web server
Web server makes external call to facebook and returns information to mobile app.
So in short, the mobile app is not making the facebook calls, but the web server is.
My question is that if I authenticate a user through the mobile app, can I pass(and store) the users access token and use that to make calls to facebook through the web server?
The answer is yes.
I've done this successfully with mobile SDKs (Android & iOS) using the Facebook authentication to obtain an access token, then passing this access token to a PHP web application which successfully uses it with the PHP SDK client library.
The access token is also the only piece of information that needs to be transmitted.
As long as the application key and secret are the same on both clients, an access token should be valid on either.
Related
I'm coding an API and trying implements the Facebook Auth. My scenery, I've front-end and the back-end, both in different domain. i.e:
Front:
http://myappfront.com
Back:
http://myapiback.com
The Front will authenticate with Javascript SDK and send to Back just the User access Token, and Back will validate this Token with PHP SDK.
My question is:
I need two apps on Facebook for each domain? The authentication will works with different APPs?
I have a web application built with Spring and spring security that allows user to register ether via Facebbok or creating an account, in both cases an web app account is created. So the 2 registering methods are the following::
Registering directly on the web app: the username and password are stored in the db.
Registering via facebook: the user logins into facebook (Outh), the web app retrieve the data from facebook to fill the registration form. The web app prompt the user to create the webapp account. In my database I store web app user and facebook data (access token etc..), so that the second time I try to login I can match the facebook account with the web app account (I use spring social).
Now I'm creating a rest service for the mobile app and it requires authentication. I use the basic http auth to access the web services.
My question now is how to Log in a user in my web application using spring security?
What I thought was:
Mobile app logs into facebook and retrieve the access_token (no contact with the web application server yet)
Mobile app sends access token to the web app
Web app checks if the access token is valid ether with db or directly with facebook
In case is valid the access token, the app sends back to the mobile app the username and the password (could be encrypted with a private key algorithm)
Once receive the web app user and password the user is authenticated and this information are stored on the mobile and used for http auth.
Do you think this flow is secure? do you have other ideas?
Thank you in advance
I would like to implement an iOS app with Facebook login. I would like the users of my app to be able to interact with their social graph (i.e. post to their stream). For that purpose I would use the Facebook iOS SDK.
When the users are already authenticated with Facebook, they also should be able to use some services on the server side of my application. How can I verify a user against the services on my server?
In my iOS app I can query the access token (for my Facebook application) using the iOS Facebook SDK. Should I send that access token together with the facebook user ID to my server? Can the server verify whether the access token is valid? Or should only my iOS App communicate with the Facebook API? Can the server post to my Facebook wall, or should this be done exclusively throught the iOS app?
UPDATE:
Facebook now provides a security documentation / checklist:
https://developers.facebook.com/docs/facebook-login/security/
You have at least two options:
Send the access token to your Server and handle all requests to Facebook
using that token (if the token is invalid you get an error and just
pass it on to the client). => Safe but (a little) complicated.
Separate the communication between
your client (iOS App) and the Facebook API and
your Client and your Server.
Your app would handle all requests to the Facebook API through the Facebook iOS SDK and then communicate the resulting data, like all kind of Facebook ids, to your Server. This approach is totally insecure without some sort of encryption; you could send some cryptographic hash function to your server and validate it with a key stored on your server and the iOS App. => This method is (a little) easier to implement however less secure since the key can be stolen through reverse engineering. Moreover you would have to check the "I'm using encryption" check mark when submitting your app to the app store.
It actually depends on how much risk you are willing to take, what kind of requests you make, what kind of services you have and so on.
Can the server verify whether the access token is valid?
Yes, look here: Facebook access token server-side validation for iPhone app
Assuming it is possible to transfer the Facebook API access token from some web app to my mobile app (via physical storage or network), will my mobile app be able to use that token as a regularly acquired token (as if the mobile app itself requested the token from Facebook)?
Is this procedure allowed in the Facebook API's terms of service?
Will the mobile app be able to cache that transferred token and use it as its own?
Basically, what I want is for the user to do Facebook Login and authenticate on one machine, and use the acquired token on a different one (e.g mobile app).
Is there a better way of doing this?
You can set your mobile app to go through facebook's oauth steps onload and if the user has already authenticated the app, he will get logged in right away, since you'll get an access token at this point of time, save that in the mobile app.
Automatic login triggers are now being used on both stackoverflow and quora. (if you sign up here through facebook, when you visit the site, you'll get signed in again - same for quora).
Also, access tokens grant access to a particular 'facebook app'. If your mobile app uses the same app id, then you can certainly reuse the same access token on the mobile device.
yep, we can reuse it. I got an access token from mobile app then it's applicable on web browser.
I am developing a Facebook application for mobile platforms. The mobile part is being developed with PhoneGap and the server side is Python / Django.
The mobile app should be able to query Facebook API directly. Server should be able to query Facebook API on the users' behalf too. Thus the user should be authenticated both with Facebook and on the server (Django), and the server should have the user's Facebook authentication token.
What would be the best flow for authenticating the user on both sides? Is it reasonable to authenticate on Facebook via mobile app, then send the token to the server and create a django session on the server?
I had a similar requirement: jQueryMobile app with Ruby On Rails backend. In my case, I implemented the Facebook authentication on the backend using omniauth. The backend retrieves the Facebook access token and passes it to the jQueryMobile frontend. The frontend then uses JSONP to retrieve the user's friend list. The advantage of this approach is that there is a single point of authentication -- Facebook auth at the backend.
You can find a demo of my app and the full source code at http://csgrad.blogspot.com/2011/07/jquerymobile-app-with-facebook.html