Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to implement a safe Facebook login/register/connect web service for a mobile application?

Tags:

rest

language-agnostic

authentication

facebook

api

I have a web REST API for a mobile application which supports classic signup/signin with user/password and token authentication.

Since the signup is without email confirmation how could I implement a safe signup/signin/connect with facebook service?

My first approach: I get from mobile application facebook_id, facebook_email, facebook_name:

  • search user by facebook, if exists perfect return that user, else create a new user with these params

  • issue: I assume that a facebook_id can be easily found out by any other application.. so nothing is stopping me for assuming I'm someone else and login with his facebook_id

  • possible solution: Get the access_token also from the mobile application and check on server side that the access_token is the correct one in relation with the facebook_email received

Another issue could be:

  • Person A is creating an classic account with [email protected] email
  • Person B, a week later, connects it's facebook account (with the same [email protected] email). The first idea would be to link the clasic account with this facebook account. But then the Person B would take over Person A's account.

Optional: Also what would is the best practice for token expiration on mobile applications. I've read something about 2 hours, but still facebook application is still logged after half of year I think.

For assuring the security, let's assume I can get anything important (access_token, email, ...) from client side in my webservice: what is the best practice that could ensure best security in this case: even client-side rules: should there be 2 distinct services for Login and SignUp? Anyway, a quick guildeline/step-by-step flow would be perfect.

like image 922
user1236048 Avatar asked May 22 '13 20:05

user1236048

People also ask

How do I set up OAuth on Facebook?

Under Products in the App Dashboard's left side navigation menu, click Facebook Login, then click Settings. Verify the Valid OAuth redirect URIs in the Client OAuth Settings section.

Is it safe to log into an app using Facebook?

Signing in with Facebook is safe, but there is the potential for scams. Hackers can set up fake sites that look like Facebook logins to try and steal your credentials. It's a form of “phishing.”

1 Answers

Have you checked the Facebook Developer Login documentation? They cover login flow and generating user & app tokens (by calling the FB SDK for JavaScript (FB.GetAuthResponse), in which case the AuthResponse includes a userID parameter that you can map your app's id to). Token expiration is also handled by the FB SDK. Android login flow looks fairly straightforward, and iOS login flow looks even simpler.

like image 124
Jacob Stevens Avatar answered Sep 20 '22 21:09

Jacob Stevens
Sign in to Comment

Related questions

Failing to open active session after updating Facebook SDK to 3.5
FB.ui share set the title, message and image
Can I use the Facebook graph api to get user's friends profiles pictures?
Facebook iOS SDK 3.1 | "You have already authorized YOUR_APP" appears every time user tries to login
Getting user likes of stream items via FQL (posts, comments, pictures, links, etc)
SSO requiring multiple attempts to login
Post from app does not appear in user's timeline
Are proxymail.facebook.com email address still supported?
Facebook & iOS: Share an app ID across multiple apps

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!