I'm developing a native mobile app for a custom, web-based social network app. We're building a REST API to communicate with the web server, and we've chosen OAuth2 as the authentication method (the grant_type=password
flow).
The web-app allows users to login and signup using external services (ie. Facebook and Twitter). We need to allow the same also on the mobile app. The question is: how can we do that?
The Pinterest mobile app is able to manage the situation (see attached image). What is the flow that's been used here?
Do they behave like a classical OAuth-powered app (the mobile app acting as OAuth client directly with the Facebook API?). If so, then how can the mobile app be authenticated with the Pinterest server? Is it passing the Facebook OAuth access token as credentials?
Graphical representation of the problem (see the ????
-labeled arrow):
Website API Mobile app Facebook OAuth
+ + +
| | |
| | /oauth2/token |
| +------------------------------>|
| | |
| | OAuth Access Token |
| |<-----------------------------+|
| | |
| ???? | |
|- - - - - - - - - - - - - -| |
| | |
| | |
| OAuth Access Token | |
|+------------------------->| |
| | |
| | |
| API Usage (w/ token) | |
|+------------------------->| |
|<-------------------------+| |
| | |
|+------------------------->| |
|<-------------------------+| |
| | |
| ... | |
+ + +
Update: This question is quite similar to mine.. If this is the right path to follow, then the second+third step (the transmission of the Facebook token to our custom API, plus the validation of the token itself) couldn't be an additional OAuth2 grant type (ie. facebook_token
)?
OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives. This OAuth 2.0 flow is called the implicit grant flow.
OAuth is also used when giving third-party apps access to accounts like your Twitter, Facebook, Google, or Microsoft accounts. It allows these third-party apps access to parts of your account.
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
You can select your App's authentication settings to be OAuth 1.0a or OAuth 2.0. You can also enable an App to access both OAuth 1.0a and OAuth 2.0. OAuth 2.0 can be used with the Twitter API v2 only. If you have selected OAuth 2.0 you will be able to see a Client ID in your App's Keys and Tokens section.
You can try using the fb access token you just retrieved at your mobile device. (can be any other provider). Send it to your server to a login/register/both web service. At the server side you can check who's the user by using the fb sdk and the access token, login the user and send him the cookie/session.
I'm not a iOS dev, but I'm currently developing a similar workflow in a .NET environment, using the open-source DotNetOpenAuth library. Maybe having a look at it can help.
First: the authentication methodology depends on the providers you want to support.
A few readings that may clarify:
http://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thing
http://openid.net/get-an-openid/what-is-openid/
http://blog.bobcravens.com/2010/08/openid-and-oauth-using-dotnetopenauth-in-asp-net-mvc/
http://stackoverflow.com/questions/7996124/how-to-authorize-mobile-apps-with-a-third-party-by-oauth-but-connect-to-my-servi
Generic authentication workflow:
1. The web application starts by presenting an area that allows the user to select between various OpenID / OAuth providers.
2. Your application redirects to the provider’s server (after possible adding some application information to the post data -- see specific provider's API reference for details). Both OpenID and OAuth use a series of redirects to get the user authenticated. The key is that the authentication occurs on the provider’s site and that’s where the passwords are stored.
3. The user logs in the selected provider, then a new redirection to your site occurs (via a callback URL mechanism).
4. This redirect includes information about the authenticated user that is supplied by the OpenID / OAuth providers. At minimum the redirect supplies a ‘username’ back to your application.
5. Use this information to verify whether the authenticated user can enter your site.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With