Connect facebook phonegap login with django allauth

Question

I'm building up an app that should allow the user to sign up / sign in with Facebook and then he should be able to login (always via Facebook) to the "main" website

To be honest it's a bit more complicated than this. That's because I'm using django-tastypie and django-allauth in the main website to allow sign up, login, and browsing of our API

Basically I want to make the mobile app user browse the tastypie API (accessible only if logged and if you're an user in the main website) and grant him the rights to add rows (like orders)

Here's what I have

• A phonegap app with a working Facebook login (I'm working on that right now)
• A website with django-allauth and django-tastypie that makes me register as a new user using the allauth's Facebook login
• No trace on the main website if the mobile user is doing a sign up via Facebook (this is the problem)

I'm basically confused how I should work with access tokens and how to pass further parameters (I don't need only the Facebook infos to complete the registration, but some custom fields too)

Anyone got experiences on this or would like to expose his workflow?

Answer 1

One common way of doing things is to leave all registration related functionality up to the website. In your phonegap app you can simply point the user to /accounts/login/ using the In-App-Browser (IAB). The IAB has events like loadstart and exit that you should monitor. A simple way of monitoring whether or not the user is successfully logged in is to have him redirected to a specific url, say /accounts/login/complete/, at the end of the login. If you attach a token to that return url (as in /accounts/login/complete/?token=123) you will be able to parse that token in your app. You could simply use the session ID as a token.

A more secure way is to use the django-oauth2-provider app and actually implement a proper oauth handshake. Handling that is almost the same. Using IAB open /oauth/authenticate/, you will be asked to login using allauth, then an oauth2 confirmation dialog appears, after which the oauth grant code is passed to a success URL. You can pick that code up from phonegap and using AJAX calls from within the phonegap app you can fetch the oauth access token. Btw, django-rest-framework has builtin support for django-oauth2-provider (don't know about tastypie).

A completely different approach is to implement a Facebook login in your mobile app, completely independent from the web site. Once logged in you'll be handed over a Facebook access token. Now, you can send this token over to the web site. Given the token, the website can fetch the user (https://graph.facebook.com/me?access_token=...), check whether or not that user is already known, if so return an appropriate token/session for that user, if not, create the user account and also return a token.