Menu
I would like a Web site (Rails 3.1 with Devise and Omniauth) and a mobile application (iOS5) to share authentication. By this I mean I would like a user to be able to SSI to the site with Facebook, or SSI to the mobile application and have the mobile application talk to the website's API using the user's credentials to authenticate to the website.
I currently have the web side working nicely with a User being able to SSI to an account. I also have the mobile application working, supporting user SSI. Both are using the same Facebook application.
My problem is finding something shared between the two that I can use for the Mobile application to authenticate against the site. Obviously both have access to the same user ID, but this doesn't seem very secure. My mobile application has an Access Token, but this differs from the website's access token, though they look similar, and my mobile access token expires while my web access token does not.
Web/Rails Token (Not real):
DDDAKnu1dg40BDHEWN0VDssxs8GGF8ZBEEOb38HnS0IUEQC1NSufmPCcGeFkTuw39ZDl7OhlZBD2jwJEqXdAZCtZBflJRQKZB4ZA
Mobile/iOS Token (Not real)
BDDAKnu1dg40BDEo3YjZD2hIwjfZB4slXJj3fmHfzLh5q1xZD0ShfJCb6PMjnApkpM0FTuGGvWnzZBQy4GZCMuysEEqhMz8YgruD53TXKTZC0GPFkfVe0b6fe8wieLLOZDDZA
Using Facebook's access token debugger I get the following (Everything removed is identical between tokens):
For Web/Rails Token:
App ID:
XXXXXXXXXXXXXXXX : SomeAppName
User ID:
XXXXXXXX : My Name
Issued:
1327507734 : 8:08 am Jan 25 2012
Expires:
Never
Valid: True
Origin: Web
Scopes: email offline_access
For Mobile/iOS:
App ID:
XXXXXXXXXXXXXXXX : SomeAppName
Metadata: {"sso":"iphone-safari"}
User ID:
XXXXXXXX : My Name
Issued:
1327507734 : 8:08 am Jan 25 2012
Expires:
Never
Valid: True
Origin: Native Mobile
Scopes: email offline_access
473
Access tokens must be kept secret. If Client B obtains an access token issued to Client A, Client B can behave as if it were Client A.
In the App Dashboard, choose your app and scroll to Add a Product Click Set Up in the Facebook Login card. Select Settings in the left side navigation panel and under Client OAuth Settings, enter your redirect URL in the Valid OAuth Redirect URIs field for successful authorization.
Just for the record, the way I have ended up handling this is to pass the mobile token to the server and have the server check the token's authenticity. Once this is confirmed I can check authenticate against my records using uid and email.
99
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
