3

I have a website that uses Facebook authentication for logging in users. It uses the oAuth 2.0 server side flow for authentication and it all works fine.

I am now developing an iPhone application for the same website and want to allow users to sign in to the website via the iPhone application using FB authentication.The Facebook iOS SDK provides mechanisms to do the authentication using the client side flow, where in my iPhone app gets the access token.

Now to authenticate the user with my server, and also make the access token available to my server, I thought of sending this access token to my server (over https) and authenticate the user against my DB and set my own session related cookie. Is this the preferred or advised method? I need the access token on my server as I ask for offline access permission and have my webapp interact with FB user account from my server directly.

An easier option for me would be to just use the server side flow for authentication on my iPhone app too, as nothing new needs to be done and the server side code is the same for website or iPhone app. Is that possible?

I cannot use client side authentication and pass the access token to my server for authentication against my system and also to be stored for further use. The access token received for client side authentication is totally different from the server side authentication token and the two cannot be used interchangeably. I will have to use server side authentication.

One solution ( provided here - in the first comment to the question) is to use an UIWebView and simulate the server side flow. The following comment mentions the problems with this approach, that I have not been able to solve.

This has been solved by examining the URL to which the webview is redirected to after the login.

Another problem is that, my iPhone app does some client side interactions too (like FBShare, writing to a friend's wall, etc). If I use the simulated server side authentication, I will have to do another client side authentication for these interactions or take the painful approach and route even these actions through my server. The latter is definitely not preferable. How do I go about this? Can I avoid this double login as it will be very bad user experience?

Community
  • 1
  • 1
brahmana
  • 1,286
  • 12
  • 24

3 Answers3

0

I cannot use client side authentication and pass the access token to my server for authentication against my system and also to be stored for further use.

Per Facebook's Securing Requests - Verifying Graph API Calls with appsecret_proof page:

Access tokens are portable. It's possible to take an access token generated on a client by Facebook's SDK, send it to a server and then make calls from that server on behalf of the person.

All this being said, I am perplexed that the SDK does not allow usage of a 3-legged OAuth flow, returning an access code instead of a token, despite their recommendation to do so for security reasons.

twelve17
  • 688
  • 8
  • 20
0

I am in a similar situation. I've got an iOS native app that needs to know who the user is.

I've got a website (RoR), using Devise, that I can login to/create an account with Facebook/Twitter via it's OmniAuth gem.

However, with both Facebook and Twitter, it seems that I have to create two entries in each, one for the website, one for the app.

Those are separate API keys for each.

For the iOS app, the only way I've come up with to make this work is: * If the user wants to auth/create account via Twitter of Facebook, then send them via a UIWebView to the website to login.

Any tweets/FB posts from the iOS would actually be posted to each via an API on the website that would use the user's access token to post the tweet on their behalf.

The thing is, I rather dislike Webviews for logins. If anyone has any suggestions I'm all ears.

lottadot
  • 367
  • 3
  • 7
  • Yeah, I'm getting that code via UIWebView too. It's quite disappointed to know that Facebook SDK for iOS doesn't have an API that support getting the code used in Server-Side auth. And it's quite hard to explain why I can't do it to others. – Hlung Jul 05 '12 at 06:42
0

"I cannot use client side authentication and pass the access token to my server for authentication against my system and also to be stored for further use. The access token received for client side authentication is totally different from the server side authentication token and the two cannot be used interchangeably. I will have to use server side authentication."

I just found it opposite. The access tokens generated by the client-side flow and server-side flow authentication are exactly same. They are "interchangeable", in fact once you get the token, it can be used anywhere as long as the user is still logged in and the token is not expired yet. This works.

curl "https://graph.facebook.com/{the user id}/friends?access_token={the token}
h--n
  • 5,903
  • 4
  • 31
  • 32