Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Design for Facebook authentication in an iOS app that also accesses a secured web service

Goal: Allow a user to authentication with Facebook into an iOS application which requires access to a protected web service that I'm running.

Assumptions: There is a native authentication (and registration) system in place for those users that opt not to use Facebook for sign in.

Details:

  • Assume we want to offer the option for a user to sign in with Facebook without creating a separate account/credential for our system.
  • Because we support our own native auth mechanism (username and password) we have our own user IDs and issue an authentication token that is used for subsequent interactions after the initial credential validation.

I'm surprised that Facebook doesn't have best practices for this in their developer documentation. All the existing documentation is either assuming you are building FB auth into a website, or a standalone mobile app with no service that requires authentication.

Here's my initial thoughts on how this would be designed but want validation on whether it's correct.

  1. Client pops the Facebook iOS Login
  2. UI User signs in with Facebook credentials and gets access token
  3. iOS App passes access token to our server
  4. Our server talks to FB graph API using access token to (a) validate the token and (b) get the FB user ID for that access token.

    e.g. Our server would call https://graph.facebook.com/me/?access_token=XYZ which would return profile info in a JSON object

  5. Assuming it's valid, our server extracts the User ID from the JSON object and checks whether the user already has an account. If so, we issue our own auth ticket to client to use for that session. If user doesn't have an account, we create a new one with the Facebook User ID, assign our own unique UserID and issue our auth ticket.

  6. Client then passes auth ticket back on subsequent interactions that need authentication.

This seems like the right approach to me but not sure if I'm missing something insanely basic and going down the wrong (complicated) path.

like image 994
TMC Avatar asked Jan 07 '11 09:01

TMC


People also ask

What kind of authentication does Facebook use?

When you set up two-factor authentication on Facebook, you'll be asked to choose one of three security methods: Tapping your security key on a compatible device. Login codes from a third party authentication app. Text message (SMS) codes from your mobile phone.

Does Facebook use token based authentication?

The Facebook SDKs for Android automatically manages user access tokens through the class com. facebook. AccessToken . You can learn more about obtaining a user access token by implementing Facebook Login for Android.

Does Facebook login use OAuth?

OAuth is also used when giving third-party apps access to accounts like your Twitter, Facebook, Google, or Microsoft accounts. It allows these third-party apps access to parts of your account.

How do I add OAuth to Facebook?

In the App Dashboard, choose your app and scroll to Add a Product Click Set Up in the Facebook Login card. Select Settings in the left side navigation panel and under Client OAuth Settings, enter your redirect URL in the Valid OAuth Redirect URIs field for successful authorization.


1 Answers

I just dealt with this myself, and here's the part that bit me:

In your step 5... It's possible for a user to register for an account with you entirely separate from their Facebook ID, right? Then some other time they log in with Facebook.... And you just created them a second account and lost their first one.

There needs to be a way to be logged in to your web service, then log in to facebook, and capture the association between the facebook ID and the local account.

Apart from that, your plan sounds solid.

Update: Facebook has added a doc outlining such a scenario HERE

like image 113
Dan Ray Avatar answered Oct 04 '22 20:10

Dan Ray