I have a web REST API for a mobile application which supports classic signup/signin with user/password and token authentication.
Since the signup is without email confirmation how could I implement a safe signup/signin/connect with facebook service?
My first approach: I get from mobile application facebook_id
, facebook_email
, facebook_name
:
search user by facebook, if exists perfect return that user, else create a new user with these params
issue: I assume that a facebook_id
can be easily found out by any other application.. so nothing is stopping me for assuming I'm someone else and login with his facebook_id
possible solution: Get the access_token
also from the mobile application and check on server side that the access_token
is the correct one in relation with the facebook_email
received
Another issue could be:
[email protected]
email[email protected]
email). The first idea would be to link the clasic account with this facebook account. But then the Person B would take over Person A's account.Optional: Also what would is the best practice for token expiration on mobile applications. I've read something about 2 hours, but still facebook
application is still logged after half of year I think.
For assuring the security, let's assume I can get anything important (access_token, email, ...) from client side in my webservice: what is the best practice that could ensure best security in this case: even client-side
rules: should there be 2 distinct services for Login and SignUp? Anyway, a quick guildeline/step-by-step flow would be perfect.
Under Products in the App Dashboard's left side navigation menu, click Facebook Login, then click Settings. Verify the Valid OAuth redirect URIs in the Client OAuth Settings section.
Signing in with Facebook is safe, but there is the potential for scams. Hackers can set up fake sites that look like Facebook logins to try and steal your credentials. It's a form of “phishing.”
Have you checked the Facebook Developer Login documentation? They cover login flow and generating user & app tokens (by calling the FB SDK for JavaScript (FB.GetAuthResponse
), in which case the AuthResponse includes a userID parameter that you can map your app's id to). Token expiration is also handled by the FB SDK. Android login flow looks fairly straightforward, and iOS login flow looks even simpler.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With