I'm developing an iOS app which uses Facebook Login. I have the Facebook iOS SDK set up and working, but the back-end developer of my client has concerns about the safety of Facebook's access tokens.
Using using the Facebook SDK, We want to get an authorization code from Facebook, not the access token, and get the access token on the server with App Key and App Secret. Is there any way of doing this?
Note: I am using this method to login (on FBSession):
openActiveSessionWithReadPermissions:allowLoginUI:completionHandler:
Answering my own question :
This can't be done with the current Facebook iOS SDK, but you can make a graph API call to
https://graph.facebook.com/oauth/client_code?access_token=...&client_id=...&client_secret=...&redirect_uri= ...
to exchange the access token with the code.
But this isn't secure at all, because you would have to ship the app with the App Secret.
Related
Until now we have implemented an OAuth Workflow with mobile app and web-based login for LinkedIn with the help of (https://github.com/tonyli508/LinkedinSwift). Due to LinkeIn API change to V2 on 1.3.2019 we updated our app to use browser-based OAuth 2.0 workflow for LinkedIn using REST-Interface API V2, an embedded UIWebView and intercepting the request to get the token, because LinkedinSwift uses the mobile ios SDK of LinkedIn and does not support API V2.
The LinkeIn website for the SDK (https://developer.linkedin.com/docs/ios-sdk) says "The Mobile SDK is not currently supported". Following the Link, only the REST API is documented.
Question:
Did anybody manage to use a installed LinkedIn app for authorization and using API V2?
Linkedin App does not provide any Deeplinks, and they want developers to use the SDK, but the LinkedIn API has been largely closed off and is only available to approved LinkedIn developers. You can request authorization here - https://business.linkedin.com/marketing-solutions/marketing-partners/become-a-partner/marketing-developer-program
We have integrated Uber API in our application. We are requesting uber ride directly from our application which requires authorization token.
We are using below code for authorization,
[[NXOAuth2AccountStore sharedStore] requestAccessToAccountWithType:_applicationName
withPreparedAuthorizationURLHandler:^(NSURL *preparedURL){
[[UIApplication sharedApplication] openURL:preparedURL];
}];
It redirecting to safari and from where user will enter his/her credentials.Control goes back to application and we are getting authorization token. Everything works fine!
Is there any other way through which we can do this within app or via uber application instead of navigating to safari?
You need to add the uber in ssl LSApplicationQueriesSchemes and start the url with uber schema uber:// , it will open the uber app if it is installed in the device.
If you are using the Uber Rides iOS SDK which provides a "Ride there with Uber button" that will redirect the user to the Uber app, combined with API Token / Server Authentication Uber API endpoints that do not require a user login:
- GET /v1/products
- GET /v1/estimates/time
- GET /v1/estimates/price
you do not need to do user authorization and authentication via OAuth 2.0.
Otherwise, if you need to make requests on behalf of the user using the Uber API, (i.e without using the Uber app), you MUST implement authorization and authentication using the OAuth 2.0 protocol flow using with a browser/webview, the Uber app cannot be used for it.
Before you begin, you should determine what level of access your
application needs. Many applications will only use the Products, Price
Estimates, and Time Estimates endpoints. For these, you only need to
use the server_token to access resources via the API Token
Authentication.
If your application will access resources on behalf of an Uber user,
such as with the Me and User Activity endpoints, you will need to
follow the three-legged OAuth 2.0 flow in order to obtain an
access_token.
I need to upload files from my iOS application into my Dropbox account. I'm following this tutorial to do so: https://www.dropbox.com/developers/core/start/ios. But I don't understand how to use the generated access token to access my own account without going through the authentication flow.
The generated access token available on the Dropbox App Console is an OAuth 2 access token, just meant as a shortcut to let your app to your own account. The Dropbox iOS Core SDK uses OAuth 1 though, so you can't use the generated access token with it. That being the case, you'll need to implement the app authorization flow so that you, and additionally your end-users, can link your iOS app to their Dropbox accounts, as shown in the tutorial.
If you only ever need to link to your own account, you'll still need to process the app authorization flow for your own account once to get an OAuth 1 access token.
I'm trying to implement server facebook authentication using passport-facebook on an iOS Facebook SDK app, and I'm unclear how to setup the passport authentication on the backend.
Basically the iOS client authenticates with Facebook and gets the sessionToken and I want to pass that to the passport-facebook /auth/facebook/callback to verify the session token with FB, and lookup the user from our database through node.js.
Is that the correct way to use passport-facebook, or do I need call /auth/facebook (and what parameters do I need to pass it).
This issue mentions building an app using Facebook iOS SDK and then authenticating on the server, but doesn't mention exactly how to do that.
https://github.com/jaredhanson/passport-facebook/issues/7
I could also write my own custom passport strategy that simply passes the FB session token and I can verify with FB graph API on the server to get the FB user ID and authenticate it's a valid session, as mentioned here:
Design for Facebook authentication in an iOS app that also accesses a secured web service
Check out passport-facebook-token, which is designed to authenticate based on a previously issued token (ie, the one issued to your iOS app).
passport-facebook is designed to do the web-based, redirect flow, which is not typically done from a mobile application.
I'm creating an app for iOS that consumes an API I've created, which requires authentication and authorization of users. I'm thinking of using OAuth to let the mobile users do this with Facebook. This is an internal API that isn't meant to be exposed to third parties.
Anyway, I'm a little confused about the abilities and limitations of OAuth consumers versus OAuth providers. Basically, I want to implement "Login with Facebook" functionality from the iOS app. It seems to me that this implies that my API should be an OAuth consumer, but the problem with this is that the login flow for a web app assumes a browser -- an NSURLConnection instance isn't going to know what to do with an HTML login page, and even if the redirect to the login page was made to work by prefixing the redirect URI with the fb:// schema, surely the login form is going to pass the authorization token back to the iOS app and not my API?
So my question is: is there a way to implement my API as an OAuth consumer? If not, and I should implement it as an OAuth provider, what does logging in with credentials from another provider like Facebook even mean?
I think things are a bit mixed up:
OAuth is to Authenticate your app against facebook. A user grants
access to his FB account to your app on behalf of him
"Login with FB" is the other way round and is not OAuth: A User
with an FB account is using this data to register AND login to your
app.
The entire flow of the # 2 can be read here.