OAuth flow, iPhone -> Rails -> Facebook

Question

I'm building an app with both a web client and a iPhone client.

On the web client I authenticate users through Facebook with Omniauth, the user can then post actions on the app to Facebook. That works good.

I'm having some problem implementing the Auth flow from the iPhone application.

I've set up Doorkeeper in the rails app as an OAuth provider. Although I'm not sure how the authentication flow should be implemented.

I've come up with this: The user can log in to Facebook in the iPhone and get a token. The idea is then to send the token, along with the Facebook uid to the rails app, store it, and authenticate the user with Omniauth. Once the user is authenticated generate a token with Doorkeeper and send it back to the iPhone app.

If it's the first time the user authenticates against the rails app, a new user will be created.

The user can then do actions against a JSON-api and the rails app will take care of the Facebook integration since the Facebook token is stored on the user record.

The application will also span over several domains so I'll need to have multiple Doorkeeper applications registered to provide different callback uri's.

Does this seem like a viable solution? Is it secure? Is there alternative flows / approaches?

Thanks.

Answer 1

The solution I went with is summarized as followed:

1. Client starts oath flow w/ Facebook (using login button etc)
2. Client gets auth token and posts back to server
3. Server looks up user via FB API call w/ token
4. Server does lookup/create of user based on FB id
5. User is logged in if a user with FB id association lookup is successful

I have a diagram and more detail here: http://www.eggie5.com/57-ios-rails-oauth-flow