Are services like Facebook and twitter using the same oAuth mechanism for their own (mobile) apps as the rest of us? Or are the using some kind of "special mode" in oAuth which bypasses the permissions stuff etc. ?
Would really like to know how they are authenticating their users.
Facebook is not using oauth and have special login/private API for their own purposes. Only Facebook is 1st class citizen for these APIs and they don't need to bother with public APIs.
Facebook's iPhone,Android,etc apps can log users in directly with username and password and create a new Facebook session directly, but other apps using the API need to use Oauth to get a user access token
If you're using android or iphone SDKs, this can be without the user needing to log in again, they simply need to authorise the app in a dialog, which is rendered by the Facebook app and uses the session created by the Facebook-supplied app
yes, they use oAuth
Twitter oAuth
Facebook oAuth
Facebook Connect is based on OAuth 2.0. In OAuth 2.0. SSL is required while signatures are not required for the actual API calls once the token has been generated. It has only one security token.
Twitter uses 1.0a. OAuth 1.0 requires client to send two security tokens for each API call, and use both to generate the signature.
Related
I am working on some OAuth 2.0 standards and non-standards flows to allow some clients to take the advantages of the SSO and give the users the native experience regarding the client that he/she working on.
One of the clients is a flutter App, so I followed the Authorization Code Flow with PKCE. The flow itself is a pretty straight forward to open a browser so you can exchange the code in this front channel with the access token through a backchannel. Things getting a bit complex while trying to authenticate via an external provider like Facebook. From the OAuth standard, it's easy to just pass the &acr_values=idp:Facebook.
The problem is when trying to follow the Authorization Code Flow with PKCE or even the old implicit flow to get access token through the Facebook, it opens the browser to ask you entering the Facebook username and password, but this is not the native experience as instead of that I want the web view to redirect the user to the app to authenticate via it instead of the browser like what's happening using the native Facebook SDK or Firebase SDK?
The only solution that I am following right now is following a non-standard authentication flow that I implemented myself to use the Flutter's Facebook SDK to get the Facebook token then exchange this token with my IdentityServer4 token after that (described here) which seems very user-friendly experience but complex and at the same time not standard.
So, is it a way to use the Authorization Code Flow with PKCE to get the access token from the IdentityServer4 using Facebook as an external provider and use the Facebook app instead of the browser to authenticate so we can give the user a native experience and follow the best OAuth2.0 practices at the same time??
I am currently building an API for my native App and want to implement the OAuth 2.0 protocol for authentication. If I take a look at companies like Instagram, Facebook or Twitter I wonder how they are handling the authentication process of their own native App (not third-party).
So Instagram for example is using the OAuth 2.0 protocol to protect their API endpoints (here). Related to their developer platform they offer you - as a third-party developer - the possibility to use their API and authenticate your own App via Server-side (Explicit) or Implicit flow. All of these flows require the user to authenticate via an In-App browser (or system browser).
Like I said before, I am wondering how these Apps are handling the authentication in their own Apps. The user doesn't get redirected to any browser to authenticate. They could use the Explicit flow and store the client_id and client_secret for example in Keychain (iOS). But Instagram is telling third-party developers "You should never pass or store your client_id secret onto a client. For these situations there is the Implicit Authentication Flow.".
I don't want the user to get redirected in my own App. The user should be able to use a login/signup form within the native App.
Does anyone have an idea or insides on how Instagram etc. are doing it? I am really curious and appreciate any helpful answer. :)
I'm a bit confused about how omniauth works for facebook and twitter. I notice when I use twitter, then I end up getting back credentials which include a token and a secret. My understanding is that twitter will return the same set of keys for the same application keys.
For facebook I notice that I only get back a single token. I would like to use this token to identify the user when they use my application-- but my concern is that since I am only getting one token back, that this is a short lived token which might change.
I did some research to find out if Twitter supports OAuth 1.0 (which I'm quite certain Twitter uses).
Am I missing something? Is a it a matter of Twitter and Facebook using different OAuth versions.
Twitter and Facebook do, in fact, use different versions of OAuth. Twitter uses OAuth 1.0A, while Facebook uses OAuth 2.0. These versions have different implementations.
For Twitter, there are two options for accessing the APIs via OAuth, application-only auth and application-user auth.
For details on Twitter's OAuth, check out https://dev.twitter.com/docs/auth/oauth
For details on how to obtain access tokens for Twitter APIs: https://dev.twitter.com/docs/auth/obtaining-access-tokens
I am creating a REST API server. For each app I have provided API key and secret. Example apps are Web app, mobile app any other app who want to use my api service. Now my API service will also need user authentication. How do I implement that? I have already done app authentication using hmac signature generation. Now I need help on implementing user authentication on those apps.
I can recommend you use OAuth or OAuth2 concept because it's standardized and widely adopted. You will be also able allow users to login with Facebook, Google account, etc.
hello everyone i am new bie in iphone development i want to connect to linkedin from my native iphone application i am currently having no idea how to connect to it please guide me how could i do that
From http://www.zhangkf.com/2010/06/linkedin-developer-network-oauth-authentication/:
Yes you can get connected with Linedin withyour Native Application by
following simple steps:
You get an API key from LinkedIn. This is also called a Consumer Key in OAuth terminology.
You build a feature into your site that leverages the user's LinkedIn network.
Your user clicks on your UI to request to use that feature.
You make a call to LinkedIn to ask to use our authentication. This is called getting a Request Token.
LinkedIn replies with an OAuth Token indicating that you can use the authentication system.
You send your user to a LinkedIn URL. That URL includes the OAuth Token you got and a few other parameters such as a URL for LinkedIn to
return the user to after granting access.
The user grants access to your application by signing into that page.
Upon successful signon, LinkedIn will return the user to your site.
You will then make a call to LinkedIn to get an Access Token.
LinkedIn replies with an Access Token for the user. You use that Access Token for any API calls to LinkedIn to identify the user on
whose behalf you are making the call.
Or
Download the Code from here,you could get it.Just Provide your API Key and Secrete Key
http://github.com/ResultsDirect/LinkedIn-iPhone
Or see this for details:
http://developer.linkedin.com/docs/DOC-1008
This sample is 100% complete and working, just add your app key.
Built with the latest XCode 4.01.
Uses a UIWebView so you have the option of customizing the browser UI.
Uses JSON instead of XML, which is the preferred best practice for most cases
OAuth is heavily documented so you know what's happening
Tested with iPhone 4, iPad 1, and the simulator on iOS 4.x.
http://lee.hdgreetings.com/2011/03/iphone-oauth.html