Wordpress Background (Mobile) Web Authentication - iphone

I'm building an iPhone app that, in part, allows the user to log in to, pull data, and post data back to a Wordpress site (more specifically, Buddypress). One way I'm considering approaching this problem is to use a series of UIWebViews to display the mobile-themed version of the site.
Ideally, I want the user to be able to, upon first-launch of the app, input their username and password, and then never have to do it again (functionally similar to tons of other social apps out there, like Facebook, Twitter, etc.)
Here's my question - obviously it is easy to store the user's login credentials, but how do I, in the background, establish an authenticated and persistant session with those credentials each time the app opens, so for the user, they are never presented with a login screen again, and can just use the app like normal?
Does anybody have any suggestions?

WordPress uses XMLRPC to authenticate. You can, on top of the API given, write your own codes to store credentials. Persistent session can then be made.
Read this FAQ : XML-RPC Support for WordPress

Related

iOS Development see if user is logged in and other user log in questions

I am working on my first app so I am not so experienced with this stuff yet. I have figured out how to send a POST request url to a php page and process the php to register a new user in the mySQL database or log in to the app by connecting to the database to see if the user exists.
First off, does that seem correct? To just send the request to register a user with text field variables and to log in by checking if the text field information exists in the database or should I be implementing some other ways to do this?
Second, What should I be doing once the user enters in his credentials in order to tell the app that the user is logged in so that if the app closes down and the user goes back to the app, it will automatically log the user back in.
That being said, the way this app is going to work (as of now) is the user will log into the app, and the log in view will go to a different view but then the user can log out and it will go back to the log in view. Once I can tell the app that the user is logged in, I should be able to tell the app that the user isn't logged in anymore.
How you implement your database security is up to you. I would recommend you route your authorization/updates/gets/posts to an API so you don't need a PHP "middle man" (unless the PHP is your API) and you can send requests directly to the API layer and handle the rest on the server.
As for the plain text part, it is a common security practice to encrypt passwords on the database. On the client side, I'd suggest using the Apple Keychain to store the username/password for future use. In iOS, this can be easily implemented using this Keychain Wrapper if you're using ARC or this one if you aren't.

What kind of Facebook authentication should I be implementing?

I have an app that can be accessed on mobile phones, both iOS and Android. The app has a social component to it, so people are sending data to and from my server.
I also have an interface for this app that will be accessible through Facebook.
When logging into the app via mobile device, using the native app for that device, one can just log in with standard username and password.
However, obviously if a user accesses the app in Facebook, they will expect to already be logged in since they are already logged into Facebook.
So I need to make it so that my app can take a log in from Facebook, pretty much automatically (?) for users who are coming at it from within Facebook.
Further, it's possible (dare I say "likely"?) a user might access the interface from both Facebook and one of the mobile versions of the app. In which case I need to be able to ensure that the username/password authentication they use on the device points to the same account associated with their Facebook login.
So... all that said... what kind of Facebook authentication should I be studying and implementing.? I'm looking at their documentation right now, and like all documentation, it's not easy to grasp. There is server-side (authentication code flow?) and client-side (implicit flow?), and authentication tokens, and I'm already a bit lost.
Also, I assume Facebook's approach is to want to take over my login in process completely, not live side by side with my mobile-device-only login, but I'd like to make sure users have the option of not using Facebook authentication if they don't want.
Can someone point me in the right direction for how to do this? Basically let me know which part of the documentation I should be focusing on.
And are there any gotchas I should watch out for?
Your server will receive a signed request when your app on facebook.com is loaded; from this you can find the FB uid of the user.
If you obtain the FB uid for users of your mobile device clients you'll be able to match your app's accounts between mobile device & facebook.com clients.
The bottom of the main authentication docs page gives links to further documentation for different client types. The main mobile authentication page has side-bar links to tutorials & SDKs for iOS & Android. Alternatively you could use the server-side OAuth flow as your devices have browsers that support this.
Once you've completed authentication on the mobile device it's simple to obtain the uid.
You can also use the Facebook authentication flow instead of your own username/password authentication.

Is Facebook Connect (Login) a good solution for an app to use?

I have seen many web apps supporting Facebook Connect...
But when i login through those apps sometimes the authentication is successful but nothing is returned to the app and the login page just goes to a blank page in that new windows and stops... The whole process fails... And this has not occurred once but many times...
So my question is:
Is Facebook Connect a good solution to use in apps or should i use something like Google Login or Twitter Login or OpenID or just a simple password based login or all of the things and let users choose what they want?
And if your answer is app the solutions then wont my database become messy and the app slower because it has look for more data now?
I know it depends on various factors but I just want your opinion, what would u choose and why?
Supporting Facebook connect as login function make sense only if your app has something to deal with Facebook (which is the most of our app today ;-)).
The behave of some app when sucessfully Authenticated and then Authorized is up to these app.
FB login give you all the tools to build you own user experience.
The things become a bit more difficult when you want to introduce FBConnect within already existing login base, while you have to find a way to bind the Identified FB user with your user account.

iPhone: Pass information from web page to app that's downloaded from App Store

I'm trying to glue information from a web page to an iPhone app that said web page suggests to download. I control both the web page and the downloadable app.
Scenario is like this:
User visits my web page, on which I recognize the user (he may have logged in, and I store his info in a cookie). I then present a link to him to an app in the App Store that he should download for "enhanced experience" of this web service of mine.
Now, when the user launches the downloaded app on his iPhone, I like to re-identify the user who previously visited said web page.
All would be easy if an iPhone app could read Safari's cookies. But it can't.
A somewhat lame solution could be that the web server stores the visitor's IP address and uses that to recognize him once he launches the iPhone app. But that's not reliable.
Another one would be to give the user a token (code) that he needs to remember and then re-enter in the app. Still quite awkward, I think.
Any better suggestions?
Simply put, you can't do this.
One thing you could consider is a custom URL scheme to launch the app. You could send the user an email that uses this custom link. However there's a couple of problems with this:
the user may not have the account that they used to register for your site set up on their iPhone. This might seem unlikely, but say the user signed up for your site 5 years ago with their Hotmail account and they have since switched to Gmail.
it's unlikely that the email would fit into their workflow. They would probably download the app and just launch it by touching the icon instead of clicking a link in a received email.
You could also put the custom URL as a link on your web page, but again, this won't fit into the workflow because they have to go to the App Store app to do the download.
Consider this - if you've got some sort of website that has an authentication step, it's probably a fair bet to say that the user is the type of person who already has an application such as Facebook installed on their iPhone. They are already used to the paradigm of having to enter their credentials into an application despite the fact that they may have already done it in Safari.
If you could read the unique iPhone device ID from javascript on your web page, you could look for that again when the application connected...
But I cannot find any means of reading this from Javascript in Mobile Safari, I thought I'd post in case there is a way now to give you another option to consider.
OK, we found a somewhat working solution: The html code can create a cookie. Later, when the app runs, it can't directly read that cookie, of course (due to the sandboxing of iPhone apps). However, it can connect to the server, then open a http URL pointing to the server and including a unique token that it has gotten from the server beforehand. This leads to launching Safari, accessing the server. The server can now read the aforementioned cookie and finally establish the connection with the help of the token.
Just stumbled over this question and I'm curious if you thought about using a UIWebView.
Where the question is - does UIWebView share cookies with safari?
If it does the rest should be easy.
UIWebView's DON'T share cookies with Safari. So unfortunately that is not an option.

How do I get the Twitter API to respect the callback parameter with OAuth?

I'm working on an iPhone app that ideally uses OAuth to communicate with Twitter. I know a lot of people are doing the OAuth workflow inside of their apps using a UIWebView, but I don't agree with that and am going with the Pownce approach.
The problem is, Twitter has this whole scheme for working with desktop apps, using a pin number. When I register my app with Twitter, they have a web form asking me if I'm a desktop or web client. If I choose desktop client, when I try to have the user authorize, I can set the oauth_callback parameter but Twitter will ignore it after authorization and show a pin number. If, on twitter's form, I specify that I'm a web client, it requires me to enter a URL to redirect to after authorization. And, since I'm using an iPhone app-specific url scheme, their web form fails on validation as it only seems to accepts URLs conforming to the HTTP protocol.
So, it seems like I'm stuck - I can't say "desktop" because I don't want to bother with a pin, and I can't say "web" or I can't use an iPhone app URL. Any solution to this?
From your question:
I know a lot of people are doing the OAuth workflow inside of their apps using a UIWebView, but I don't agree with that and am going with the Pownce approach.
The Pownce article suggests that quitting your application and opening Mobile Safari to perform the authentication step is problematic, and that they started receiving bad reviews from users for doing it that way. They also experienced a failure rate of around 40%.
Pownce's solution is to use a UIWebView within your application instead, so I have a feeling you may have misinterpreted their recommendations. That being said, they do label this as a "naive" solution and go on to suggest a bunch of theoretical "ideal" solutions.
Another point you might not realise is that desktop applications (using the "out of band" / pin number method) and web applications need to open the Twitter site in either an embedded or external browser.
So you've got two choices on the iPhone:
Open up twitter.com in a UIWebView, specifying no oauth_callback parameter or oauth_callback=oob to start the pin-based out-of-band flow. The user then needs to copy the pin using the iPhone's copy-paste functionality, manually close the UIWebView, and paste the pin into your application. The pin can then be used converted to an access token.
Do it how everyone else is doing it (UIWebView + custom-uri://foo.bar in the callback parameter).
For obvious reasons, the first option is pretty crap and really only useful on platforms where Twitter is unable to redirect to a custom URI.
A simple solution may be to create an HTTP page that always sends a 301 redirect to your custom URL scheme and then provide that HTTP URL to the twitter web API.
Aside from that, Nathan's answer is very complete.
Here's how I do it: tell Twitter you're a web app, and make up any old HTTP:// URL to satisfy Twitter during registration of your oauth client.
Then in your app, pass the URL you want to in the callback parameter. Twitter (in my experience) uses the one you give it.
You could use an intermediate website for the authentication. Your app creates a unique id (hardware based?) and stores it. It then records it has sent the user for authentication and sends the unique id to your website. It then redirects the user to your website. Your website then sends the user to Twitter using oAuth. The user returns to your website and you mark the unique id as authenticated and store the authentication information. The user restarts the app on the iPhone, it reads it has sent the user for authentication and contacts your website with the unique id - and reads in the authentication information.
Long winded and needs another website, but it should work.