Facebook integration for mobile app with a backend REST API

Question

We're building mobile apps (iOS and Android) that require a REST API backend and integration with Facebook for authentication.

I'm still confused on what is the best architecture design for this kind of use case.

Main Question: Who is responsible for authenticating/authorizing with Facebook, client or server?

Option A: Client authenticates to FB. Client sends requests using the token it received from Facebook. Server uses that token to identify the user.

Option B: Server authenticates to FB in behalf of the client.

Additional notes (may be relevant or not):

• I'm developing the REST API part using Django.
• The app will need access to the user's Facebook friends so we can invite them to use the app.

Answer 1

You should go with option A.

• Authenticate with the client. Then you will receive an access token.
• Send this token to the server.
• Now you can create a user, fetch FB friends, and all other you might need.

If you are using django-rest-framework, you should have a look at the django-rest-auth package. It handles user login/creation on the server side using the access token.

https://django-rest-auth.readthedocs.org/en/latest/installation.html#social-authentication-optional