I have a desktop client application 'C' and a server application 'S', both written in C++, residing on different machines. They currently communicate via TCP. Sensitive user-specific data is stored on 'S'.
The current login flow is the following: the user enters their credentials in 'C', they are sent encrypted to 'S', 'S' compares them with the credentials it has in a special database 'D' for this user. If the credentials are valid, S gives the client the user-specific data. Otherwise, connection is refused. The registration of new users is via a centralized web server' that sends the credentials to 'S' and they are put in 'D'.
I want users of the client to be able to login via Facebook via a 'Login with Facebook' button on the current login screen (currently I have User and Pass only). I need only the login, no other integration. I will use the FacebookID number of the user as ID in the database D.
I read through the Facebook documentation and what they recommend is to embed a web browser in the client, open the special auth dialog passing your app ID and then listen to the URI change to get the access token from it (this is described at the end of the above documentation). This is exactly what I am planning to do. I already have a web browser embedded in the client. It will open the auth dialog there, listen to the URI change in the C++ code and get the access token from the URI. Then the client will send the access token to the server 'S'. 'S' will make a HTTP request to Facebook, passing the access token, and Facebook will respond with the personal data of the user. 'S' reads the FacebookID of the user and puts it in the user database 'D' if it's not already there. If it is already there, the client is given the sensitive user-specific data.
In Solutions 1 and 2 the client will also have to pass a ClientID so the Server can identify it when it tries to connect.
Do you think my solution is good and secure enough compared to the other solutions? Is it secure to pass the access token from the client to the server? Do you see other potential issues with my solution?
Thanks in advance
OAuth is also used when giving third-party apps access to accounts like your Twitter, Facebook, Google, or Microsoft accounts. It allows these third-party apps access to parts of your account. However, they never get your account password.
In case you're wondering what OAuth2 is, it's the protocol that enables anyone to log in with their Facebook account. It powers the “Log in with Facebook” button in apps and on websites everywhere.
To me, it looks like a good approach as long as you are using https (which you do state that you will) to communicate from C to S.
I would suggest making different applications for each of the S servers you would deal with. For instance, when I develop an app, I have three Facebook apps. One for my local box. One for the test environment and one for production. So then store the app ID in an environment dependent config file.
Also, instead of using the current username field for the Facebook user ID, create a new one. That way existing people can still log in with their current credentials and the ones who adopt the Facebook login easily do so. This also gives you a quick way to determine which type of credentials each user has setup, making for easier checking of their credentials.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With