Facebook iOS SDK and passport-facebook authentication - ios

I'm trying to implement server facebook authentication using passport-facebook on an iOS Facebook SDK app, and I'm unclear how to setup the passport authentication on the backend.
Basically the iOS client authenticates with Facebook and gets the sessionToken and I want to pass that to the passport-facebook /auth/facebook/callback to verify the session token with FB, and lookup the user from our database through node.js.
Is that the correct way to use passport-facebook, or do I need call /auth/facebook (and what parameters do I need to pass it).
This issue mentions building an app using Facebook iOS SDK and then authenticating on the server, but doesn't mention exactly how to do that.
https://github.com/jaredhanson/passport-facebook/issues/7
I could also write my own custom passport strategy that simply passes the FB session token and I can verify with FB graph API on the server to get the FB user ID and authenticate it's a valid session, as mentioned here:
Design for Facebook authentication in an iOS app that also accesses a secured web service

Check out passport-facebook-token, which is designed to authenticate based on a previously issued token (ie, the one issued to your iOS app).
passport-facebook is designed to do the web-based, redirect flow, which is not typically done from a mobile application.

Related

How to validate access token within Resource Server obtained from the iOS client

I am building a spring boot java resource server as a backend for an iOS app. The iOS App authenticates users using federated login with Facebook and passes access token for resource server to create an internal user. linked to the facebook profile.
Any documentation I came across discusses how to use spring security to authenticate/authorize users using login form, but I am just trying to parse/validate the access token already given by FB. How can I do this? Google offers a library to easily parse access token and extract user's information, but I can't find a counterpart library for facebook.

Social authentication from both iOS app and backend server

I am trying to implement a login flow, which involves both iOS app and server integration. Other than social authentication, application support email/password authentication as well. Once successful authentication server application send auth_token which can be used in subsequent API calls.
My social login flow as follows :
iOS application initiate social login by retrieving a code as response type from the authentication provider.
Retrieved code send to server application, so it verifies with the social authentication provider and (create an account if not exist) authenticate the user.
Successful authentication will generate auth token as normal (email / password) authentication and send back to the mobile application.
Once successful authentication, both approaches mobile application receives auth_token.
I tried to implement this flow using OAuthSwift library and spring-social. I think backend part is working fine. But OAuthSwift doesn't seems to support retrieving just the code. (I opened a issue in their Github repo)
My Questions are:
If you see any problem with this approach?
What are the other Good Swift frameworks, which supports retrieving authentication code as response_type
You will lose the connection to your social login. Because you switch to your OAuth mechanism, you will not have any notice if the user changed something in there social account.
Thats ok, if you not rely on any off his data, for example his e-mail address.
But keep that in mind.

OAuth2 Authorization Code with Facebook iOS SDK

I'm developing an iOS app which uses Facebook Login. I have the Facebook iOS SDK set up and working, but the back-end developer of my client has concerns about the safety of Facebook's access tokens.
Using using the Facebook SDK, We want to get an authorization code from Facebook, not the access token, and get the access token on the server with App Key and App Secret. Is there any way of doing this?
Note: I am using this method to login (on FBSession):
openActiveSessionWithReadPermissions:allowLoginUI:completionHandler:
Answering my own question :
This can't be done with the current Facebook iOS SDK, but you can make a graph API call to
https://graph.facebook.com/oauth/client_code?access_token=...&client_id=...&client_secret=...&redirect_uri= ...
to exchange the access token with the code.
But this isn't secure at all, because you would have to ship the app with the App Secret.

can an OAuth consumer app expose an API to an iOS app?

I'm creating an app for iOS that consumes an API I've created, which requires authentication and authorization of users. I'm thinking of using OAuth to let the mobile users do this with Facebook. This is an internal API that isn't meant to be exposed to third parties.
Anyway, I'm a little confused about the abilities and limitations of OAuth consumers versus OAuth providers. Basically, I want to implement "Login with Facebook" functionality from the iOS app. It seems to me that this implies that my API should be an OAuth consumer, but the problem with this is that the login flow for a web app assumes a browser -- an NSURLConnection instance isn't going to know what to do with an HTML login page, and even if the redirect to the login page was made to work by prefixing the redirect URI with the fb:// schema, surely the login form is going to pass the authorization token back to the iOS app and not my API?
So my question is: is there a way to implement my API as an OAuth consumer? If not, and I should implement it as an OAuth provider, what does logging in with credentials from another provider like Facebook even mean?
I think things are a bit mixed up:
OAuth is to Authenticate your app against facebook. A user grants
access to his FB account to your app on behalf of him
"Login with FB" is the other way round and is not OAuth: A User
with an FB account is using this data to register AND login to your
app.
The entire flow of the # 2 can be read here.

For a hybrid SSO scenario using the Facebook iOS SDK, what's the best way generating a password/key for our own custom user records?

So my intention is to have a login in my iOS app that allows for either our standard email/pwd registration, or login with Facebook. We are also creating rest services to get application info for a given user, e.g. https://url/getPosts/[userId]?userPwd=foo
I've implemented SSO with fb in a web application before but I have some concerns about the security of authentication in a iOS client scenario. The key difference from what I've done before is that in a web app, I was making a server to server call to Facebook to get the access token so I was reasonably assured that the user was authenticated and the web server made privileged calls to the database. In the iOS case, I have the mobile client app making the Facebook iOS authentication request itself and the server has to somehow trust that this user from the client app is indeed authenticated against the matching user record in our database.
My question is how do I generate a durable and secret unique key from the iOS SDK so that I can create and associate a matching user record in our database for users that authenticate only with Facebook. I want this to be seamless so the user would not have to manually fill out another form, and we would just automatically create this matching user record in our db.
I could insert a record into my own users table when they fbDidLogin with Facebook, using the Facebook Id as the unique identifier, and the fb access token as the pseudo password/key for my own user record. I would have to validate the access token with Facebook to make sure it's valid before saving it as a password for the user (the user would never see this password, it would just be passed by the client app during api calls). That way when the user makes a call to our own rest api via the iPhone app we can authenticate and authorize using this secret/pwd/key.
An alternative that would make this whole question moot is to just handle the authorization logic on the client app, and check that there is a valid fb session before making calls to our own apis which I secure with just a single application-wide secret, but that doesn't seem as secure since getting that one secret gives authorization to data on all users. I'd rather authorize at an individual user level. Is that the right choice? Am I being paranoid about iOS security?
The fb access token expires so that might not seem durable, however if I enable offline access that token won't expire but creates a scarier looking oauth dialog window. An alternative to the access token is to hash the fb Id with an application secret key on the iOS client, and use that as the Facebook user's password in our db. However, that again is a single secret key that could perhaps be reverse compiled from the iOS client app?
Design for Facebook authentication in an iOS app that also accesses a secured web service
This post helped me undesrtand it more. If I am not mistaken, the flow goes like this:
User authenticates in iOS app
iOS app takes auth token, sends it to the rails app
Rails app takes auth token and sends it to graph.facebook.com/?auth_token=XXX to get back the user if authentication was successful.
Rails app takes the user info and matches/creates user in own database table. Sends some kind of authentication key back to iOS app.
iOS app saves the authentication key so it can use it to communicate with the rails app.
Let me know if I am missing anything.
Have you looked at the iOS docs for Single Sign On (SSO)? https://developers.facebook.com/docs/guides/mobile/#ios
You can share an app ID across mobile, canvas and web site and the same user auth works for each environment.
Check out: https://developers.facebook.com/docs/authentication/
Facebook Platform provides a number of ways to use the above OAuth flows in different app types, including Websites, Apps on Facebook.com, Mobile and Desktop Apps.
You just need to insert users Facebook key to your database to know if its authenticated with Facebook. Use OAuth at ios side authenticate user take users secret key send it to your rest web-service and save it with users other info.

Resources