I have to write an API for mobile device to implement Login with Facebook using Devise. I have done the web implementation and the as per my research the Facebook Login flow works as follows:
Step 1:
The user comes on the website and clicks Login with Facebook. It hits the facebook verifying the permissions for the app.
Step 2:
If the user accepts, facebook hits the web application with a temporary code.
Step 3:
The web server using the temporary params code hits facebook again to get the user's access token.
Step 4:
Facebook hits the web server with the user's access_token which is saved by the web application in the database. If the user with the access_token already exists then a new session is created else a new user record is created.
This is the complete flow of login of Facebook for a web application.
Now when writing mobile api for a Mobile device the question comes is:
Will the mobile device hit the web application with the facebook's temporary code as mentioned in Step 2 and the Web server will hit facebook using the temporary code to get the user's permanent access_token?
OR
Will the mobile devise hit the web server with the permanent user's access_token from facebook which is then identified for its existence in the database by the web application?
Please Help.
Many Thanks!!
Did you saw Devise + Facebook OmniAuth integration?
I used this integration and it uses the step 2, it's very easy and you don't have to care about this issues, it's already done.
Related
I have a web application setup to handle webhook requests from an Actions-on-Google/Dialogflow application using the Google Assistant. Users don't need to sign-in to a google account in order to use my web application and I'd prefer to keep it that way, so that users can sign in with any email address.
I also want my users to be able to interact with my application using the Google Assistant, and be able to access personal/contextual data via the assistant (i.e. when a speaker says, "what's on my shopping list", the web app needs to be able to know what my means).
Currently, I have this working by using my web app to issue a unique short code to my user (in the web app UI) and then with an intent on the Assistant where the speaker says "My code is 1-2-3-4" and then my web app can identify the user from then on (by saving the userId from the webhook request to whatever user got the short code 1234 and then using that userId to lookup the user on each subsequent request.)
My question is, is there a better way to do this? Ideally, in my web app, I'd like to have something like an "Authorize Google Assistant" button, which would then link the user's google account to their web-app account, so that the conversation on the Assistant is seamless.
Has anyone done this before?
Thanks
This is the perfect use case for Account Linking with the Google Assistant.
From your users' perspective, they will start to use your Action. If they're doing so through a speaker and they haven't linked the account yet, they'll be directed to a mobile device to do so. On a mobile device, they'll be redirected to a page on your website where they will been to authenticate themselves and authorize your server to let them in through the Assistant. Once they have done so, they won't need to log in again, the accounts will be linked, and they'll be able to use the voice Action without further obstruction.
From your perspective as a developer, you'll need to setup an OAuth2 server (I suggest the code flow). That login process I mentioned is the first step in the OAuth dance, and will end up with you issuing a code to Google. They will then exchange this code for an Auth Token (with a limited lifetime) and a Refresh Token (which does not expire). They will periodically use the Refresh Token to get new, valid, Auth Tokens for this user. When the user issues a voice command, the Auth Token will be passed as a field in the JSON to your fulfillment server, and you can use this to verify who the user is and that they are authorized to use your service.
According to this link Facebook Login for the Web, I can let my users login with facebook accounts (after logging to my facebook app).
now, all the work is done here in javascript which is a client-based code, it means it is insecure and a hacker could easily trespass my login step.
I know i should be using PHP SDK (for example) to secure the login process, but my question is why would I use this method ????
We are implementing Google Oauth2.0 Single Sign On with our applications. We have Web application, windows desktop app, Adroid app, iPhone app.
From our applications(windows app/mobile app) when user tries to login we use below flow:
1) We get URL(https://accounts.google.com/o/oauth2/auth?client_id=XXXXXXXXXXXXXXXXXXXXXXXXXXXX&response_type=code&scope=openid%20profile%20email&redirect_uri=urn:ietf:wg:oauth:2.0:oob&login_hint=myemail#gmail.com) from our API which redirect user to Google login screen
2) After authentication:
a) On first login it display consent screen with scopes(View your email address/View your basic info/Know who you are on Google) mentioned in above URL.
b) On subsequent login it display consent screen with scope (Have offline access).
3) Then Google return us a code in page title which we use for our authentication and then we allow user to access our application.
When we are using Same flow in Web application it won't ask Offline access scope screen for subsequent logins but in Desktop app/Mobile app for all the subsequent login it ask "Have offline access" scope screen.
How can I avoid scope (Have offline access) screen for subsequent login?
Please suggest.
FYI
1) I have tried approval_prompt, access_type but no change in nature.
2) We are not storing any refresh token after first authentication.
I've been working with ServiceStack for quite some time now and i love it. But there is one thing i can't figure out.
How are app's (ios, android etc.) that are using my servicestack endpoints, suppose to use the facebook endpoint "/auth/facebook"?
When using this url "/auth/facebook" from the browser it works fine, but the response is html, and not an AuthResponse og something serializable.
Is this endpoint only to be used from websites with servicestack in the same solution?
The way that stuff works is by redirecting the user to Facebook with an API key that matches your app. The user then tells Facebook that your app is ok, and Facebook redirects them back. This can only be done via a browser. You really have two options to work around this:
Make the user authenticate with Facebook using a website and then authenticate your user with credentials from the app.
Use the built in iOS Facebook stuff and send the resulting auth tokens to an endpoint on your app, where you can save them for later use.
Edit, a bit more clarification:
Option 1
User Goes to your website
User Clicks on your Auth With Facebook button
User is sent your your Facebook endpoint set up in Service Stack
User is redirected by Service Stack to Facebook
User is redirected back to Service Stack from Facebook, with a token in the url
You save the token in your database and tell the user they can now user your app with Facebook.
Option 1.5
The same as Option 1 but instead of making the user go through their browser you create a UIWebView control and point it to your Facebook Auth endpoint. Then you listen for a response from your site that says the user is authenticated. I'm not a objective c, so I can't really get more detailed on how to do that.
Option 2
Use the iOS Facebook API and handle authentication as seen here.
POST the credentials to Service Stack via a Custom Endpoint
Save credentials in the db, and use them in the future to make calls on behalf of the user.
Facebook Login requires a browser of some sort, because Facebook's cookies must be passed along with a request to authorize your website. That is how Facebook knows which of it's users wants to authorize your site, and that they are the ones making the request.
i want to develop an android app using youtube API 3.
It is necessary that the user who will be using the app has to login with his/her gmail credentials to actually view a video?
Or just registering the app here https://developers.google.com/youtube/registering_an_application is fine and the user watching the video or using the app need not login to his/her gmail account.
It is necessary that the user who will be using the app has to login with his/her gmail credentials to actually view a video?
No. Authentication via OAuth is only necessary if your application requires access to "private user data". Simply viewing a video does not meet those requirements.
More details here: https://developers.google.com/youtube/v3/guides/authentication