I am developing a Facebook application for mobile platforms. The mobile part is being developed with PhoneGap and the server side is Python / Django.
The mobile app should be able to query Facebook API directly. Server should be able to query Facebook API on the users' behalf too. Thus the user should be authenticated both with Facebook and on the server (Django), and the server should have the user's Facebook authentication token.
What would be the best flow for authenticating the user on both sides? Is it reasonable to authenticate on Facebook via mobile app, then send the token to the server and create a django session on the server?
I had a similar requirement: jQueryMobile app with Ruby On Rails backend. In my case, I implemented the Facebook authentication on the backend using omniauth. The backend retrieves the Facebook access token and passes it to the jQueryMobile frontend. The frontend then uses JSONP to retrieve the user's friend list. The advantage of this approach is that there is a single point of authentication -- Facebook auth at the backend.
You can find a demo of my app and the full source code at http://csgrad.blogspot.com/2011/07/jquerymobile-app-with-facebook.html
Related
We developed a hybrid mobile applicacion as front-end integrated with a backend, wich includes a Facebook OAuth service. With this setup social authentication, through the web browser, it works fine.
Now we would like to use the native Facebook app installed on the mobile device (instead of the web browser) to authenticate our users against or backend, but we don't find how to implement the auth process.
Our backend follows OAuth2 of type "Authorisation Code Grant" (https://alexbilbie.com/guide-to-oauth-2-grants/) and, therefore, expects a code and a status parameters in the Facebook response (just like the first described auth). But in mobile, the Facebook SDK doesn't return this paramenters, only an accessToken. Because of that, we can't implement the auth process in our backend.
Is it possible to perform the OAuth process using an accessToken instead of the autorization code? Maybe is it possible to obtain the code and status parameters from the accessToken parameter with Facebook API?
I'm coding an API and trying implements the Facebook Auth. My scenery, I've front-end and the back-end, both in different domain. i.e:
Front:
http://myappfront.com
Back:
http://myapiback.com
The Front will authenticate with Javascript SDK and send to Back just the User access Token, and Back will validate this Token with PHP SDK.
My question is:
I need two apps on Facebook for each domain? The authentication will works with different APPs?
Simplified background:
Website that allows users to upload and comment some content, let's say images (classic CRUD web application).
Three ways to sing in into the system: classic username/password form, Facebook Conntect, OpenID (Google).
Public API that allows to read data from the system and create content (authenticated users).
Mobile (iOS/Android) application that uses API.
Problem:
Just like the website, the mobile application should provide FBConnect/OpenID authentication. However, I have absolutley no idea how to authenticate such an user in the website's public API.
How to create a secure authentication mechanism for mobile application that uses FB/Google for its authentication and on the same time uses my API for authenticated users?
I was wondering if user access tokens that are recieved through one platform can be used to access and make facebook calls through another.
For example:
I have a mobile app and a web server that work together. A user signs in through facebook on the mobile app(through single-sign-on). The user then uses the mobile app in a way that an internal service requires that an external service call to facebook is necessary. The internal services relays this to the web server, and the web server makes the actual call to facebook.
Work flow:
User signs into mobile app
mobile app sends user access token + service call needed to web server
Web server makes external call to facebook and returns information to mobile app.
So in short, the mobile app is not making the facebook calls, but the web server is.
My question is that if I authenticate a user through the mobile app, can I pass(and store) the users access token and use that to make calls to facebook through the web server?
The answer is yes.
I've done this successfully with mobile SDKs (Android & iOS) using the Facebook authentication to obtain an access token, then passing this access token to a PHP web application which successfully uses it with the PHP SDK client library.
The access token is also the only piece of information that needs to be transmitted.
As long as the application key and secret are the same on both clients, an access token should be valid on either.
I have a mobile app that allows users to login through facebook connect.
There is also a webservice that the mobile app will use.
Can the mobile app share its auth token with the webservice?
user login to facebook through mobile app
mobile app sends auth token to webservice
webservice queries facebook for user details
or would the mobile app query facebook and then pass the information to the webservice?
user login to facebook through mobile app
mobile app queries facebook for user details
mobile app sends details to webservice
Yes. The API doesn't care where you get the token from, as long as you're using the same AppID/Secret. This is commonly used in offline data access scenarios (user authenticates through web app, backend service updates in background). Do you have a specific example where this doens't work?