6

We're building mobile apps (iOS and Android) that require a REST API backend and integration with Facebook for authentication.

I'm still confused on what is the best architecture design for this kind of use case.

Main Question: Who is responsible for authenticating/authorizing with Facebook, client or server?

Option A: Client authenticates to FB. Client sends requests using the token it received from Facebook. Server uses that token to identify the user.

Option B: Server authenticates to FB in behalf of the client.

Additional notes (may be relevant or not):

  • I'm developing the REST API part using Django.
  • The app will need access to the user's Facebook friends so we can invite them to use the app.
Noel Llevares
  • 15,018
  • 3
  • 57
  • 81
  • Is your rest api supports login with e-mails as well? What other options are you looking to implement with facebook (getting friends list of your user, etc)? – Much Overflow Feb 16 '16 at 04:47
  • @MuchOverflow Currently, login will be purely Facebook only. We also need to share content to the user's Facebook friends. – Noel Llevares Feb 16 '16 at 08:16
  • http://stackoverflow.com/a/27295322/165106 has a good explanation why option B is the better one – Simon Mar 12 '16 at 10:26

2 Answers2

4

You should go with option A.

  • Authenticate with the client. Then you will receive an access token.
  • Send this token to the server.
  • Now you can create a user, fetch FB friends, and all other you might need.

If you are using django-rest-framework, you should have a look at the django-rest-auth package. It handles user login/creation on the server side using the access token.

https://django-rest-auth.readthedocs.org/en/latest/installation.html#social-authentication-optional

ilse2005
  • 11,189
  • 5
  • 51
  • 75
0

You can take a look at the Facebook SDK for Python, it should tell you how to incorporate it into your app and it shows how to integrate with a few frameworks here (Flask being similar to django for this).

Facebook will be doing the authentication on their side, not you, though you may want to store the user's token in a database.

David542
  • 104,438
  • 178
  • 489
  • 842
  • If I do it on the server side, then the server needs to ask the user's Facebook's credentials, correct? And then send it the FB for authenticating. – Noel Llevares Feb 16 '16 at 03:33