2

I would like to allow users to login to my site with oAuth (facebook/twitter) but I'm having trouble understanding how the security model works if I authenticate them client-side.

When the users authenticate, I receive a redirect with their authToken and ID. A lot of answers suggested to use the ID to query/store user's info in my database, but that is insecure since anyone can potentially know the ID and retrieve anyone's data.

Should I use the authToken from the server to check if it's valid and matches the ID? or is it assumed that the only way to login users to my site is to use server-side authentication?

Thanks,

-gene

gene
  • 21
  • 2
  • 2
    After reading some more, I think the proper course of action is to send the authToken and ID to the server, and have the server validate the ID using the token. There's an example of the api for facebook in the answers here: http://stackoverflow.com/questions/5406859/facebook-access-token-server-side-validation-for-iphone-app – gene Apr 28 '13 at 19:31

1 Answers1

0

Actually, it can't be safe to do oAuth in client side. Store access_token is ok at client side, that is actually a ticket, can be destroy or expire. you can use user access_token to exchange user id(graph.facebook.com/me), which, is also safe due to use id within Facebook is free to get.

What not safe is your app access token, which need your app_id and app_secret to exchange via graph.facebook.com/oauth/access_token, this must save at server side.

promenade
  • 107
  • 1
  • 7