I have a mobile app that allows users to login through facebook connect.
There is also a webservice that the mobile app will use.
Can the mobile app share its auth token with the webservice?
user login to facebook through mobile app
mobile app sends auth token to webservice
webservice queries facebook for user details
or would the mobile app query facebook and then pass the information to the webservice?
user login to facebook through mobile app
mobile app queries facebook for user details
mobile app sends details to webservice
Yes. The API doesn't care where you get the token from, as long as you're using the same AppID/Secret. This is commonly used in offline data access scenarios (user authenticates through web app, backend service updates in background). Do you have a specific example where this doens't work?
Related
Is the fbid returned by Facebook Login API changes if 2 different Secret and App ID is used?
On my website the user gets to register himself using facebook details. I'm storing the fbid in the users table.
There's an iOS app for the site on which I allow the users to login using their facebook credentials. So I've coded an API which takes the fbid sent by the mobile app and checks if the fbid exits in the users table. If it's present then a token is sent to the mobile app with login successful message.
I've noticed that I get different fbid on web app and on mobile app for same facebook user.
I've created an APP on facebook using my facebook account and my friend who is developing the iOS app has created an APP on facebook from his own facebook account.
Example: I get fbid: 134200716970889 on web app and 140274429696834 on iOS app for a same facebook account.
Why do we get different fbid?
I'm using cakePHP for web app.
It is called "App Scoped ID", you get a seperate ID per App since v2.0 of the Graph API: https://developers.facebook.com/docs/apps/changelog#v2_0
You can use the Business Mapping API to map User IDs between different Apps: https://developers.facebook.com/docs/apps/for-business
I have a web application built with Spring and spring security that allows user to register ether via Facebbok or creating an account, in both cases an web app account is created. So the 2 registering methods are the following::
Registering directly on the web app: the username and password are stored in the db.
Registering via facebook: the user logins into facebook (Outh), the web app retrieve the data from facebook to fill the registration form. The web app prompt the user to create the webapp account. In my database I store web app user and facebook data (access token etc..), so that the second time I try to login I can match the facebook account with the web app account (I use spring social).
Now I'm creating a rest service for the mobile app and it requires authentication. I use the basic http auth to access the web services.
My question now is how to Log in a user in my web application using spring security?
What I thought was:
Mobile app logs into facebook and retrieve the access_token (no contact with the web application server yet)
Mobile app sends access token to the web app
Web app checks if the access token is valid ether with db or directly with facebook
In case is valid the access token, the app sends back to the mobile app the username and the password (could be encrypted with a private key algorithm)
Once receive the web app user and password the user is authenticated and this information are stored on the mobile and used for http auth.
Do you think this flow is secure? do you have other ideas?
Thank you in advance
I have a REST web service written in PHP that is part of a web site. This web site has users that can post data where have they traveled and rate the place. Mobile app. uses the web service to submit the travel details.
Can a user share his "travel data" on Facebook trough web service?
Goal, Use Case:
User on his phone selects a country, city .... rate it and submit the data, data is sent to web service that writes this data to DB and shared it on Facebook as the user of the web site that has FB membership).
Assumptions:
User should loggin trough the site and request a "permanent" token from Facebook, store it in DB.user_settings, use the token when data is sent from mobile app.
Update: Or, collect users FB username/pass in DB.user_settings and authenticate when web service method for posting data on FB is called.
Problem:
Token is not "permanent"
How to authenticate the user, and not send any credentials from the mobile app. concerning Facebook, but keep all the FB logic in web service?
(im interested in concept design/algorithm, not code)
I was wondering if user access tokens that are recieved through one platform can be used to access and make facebook calls through another.
For example:
I have a mobile app and a web server that work together. A user signs in through facebook on the mobile app(through single-sign-on). The user then uses the mobile app in a way that an internal service requires that an external service call to facebook is necessary. The internal services relays this to the web server, and the web server makes the actual call to facebook.
Work flow:
User signs into mobile app
mobile app sends user access token + service call needed to web server
Web server makes external call to facebook and returns information to mobile app.
So in short, the mobile app is not making the facebook calls, but the web server is.
My question is that if I authenticate a user through the mobile app, can I pass(and store) the users access token and use that to make calls to facebook through the web server?
The answer is yes.
I've done this successfully with mobile SDKs (Android & iOS) using the Facebook authentication to obtain an access token, then passing this access token to a PHP web application which successfully uses it with the PHP SDK client library.
The access token is also the only piece of information that needs to be transmitted.
As long as the application key and secret are the same on both clients, an access token should be valid on either.
I am developing a Facebook application for mobile platforms. The mobile part is being developed with PhoneGap and the server side is Python / Django.
The mobile app should be able to query Facebook API directly. Server should be able to query Facebook API on the users' behalf too. Thus the user should be authenticated both with Facebook and on the server (Django), and the server should have the user's Facebook authentication token.
What would be the best flow for authenticating the user on both sides? Is it reasonable to authenticate on Facebook via mobile app, then send the token to the server and create a django session on the server?
I had a similar requirement: jQueryMobile app with Ruby On Rails backend. In my case, I implemented the Facebook authentication on the backend using omniauth. The backend retrieves the Facebook access token and passes it to the jQueryMobile frontend. The frontend then uses JSONP to retrieve the user's friend list. The advantage of this approach is that there is a single point of authentication -- Facebook auth at the backend.
You can find a demo of my app and the full source code at http://csgrad.blogspot.com/2011/07/jquerymobile-app-with-facebook.html