I am building a backend for ios apps, that support login in different networks.
Once the user login in to the network the client tells the news to the backend, and this could offer a list of worlds that the user might play, or even delete old worlds.
One way to steal another person's world is by saying that you are his social network id.
To solve that with facebook, we force the client to send us the fb_token, a token provided from facebook to the client, that we use in the backend to ask facebook if that specific user is the one that he told us to be.
If apple doesn't provide a way to validate this I understand that if an iOS app wants to use game center, it is directly forcing the app developer to also use iCloud because apple can validate the user credentials.
Did apple provide any way to validate user credentials?
The client on iOS can retrieve info about the currently logged in player in GameCenter, which has nothing to do with iCloud.
If you want to use iCloud to authenticate, you might have a different player than the one you wanted.
I think the solution is for the client to retrieve the player info in GameCenter, and send it to your server in an encrypted fashion (say HTTPS), including a timestamp and possibly other dynamic information. This way you'll know that the user info is being sent from the client app itself and there is no man-in-the-middle. That's really the issue that you are struggling with: how to ensure that client-server communication is secure.
Related
I'm pretty newbie in iOS development but I'm trying to figure out how to organize the authentication. I need the authentication because of 2 reasons:
In-app purchases
User can add his or her own data into common database.
I supposed that as soon as user downloaded my app he or she will be easier to use the Apple id to authenticate but I have no idea if it's possible to use Apple id in this situation and how to organize this authentication on my server.
For information: I'm going to use Node.js as a backend with MongoDB, hosted on Windows Azure portal.
The workflow is:
User downloads and runs my app
User uses it (without any authentication so far)
If user wants to add his new data and share it the data should be
sent to the server and user must enter some credentials.
User enters Apple id credentials (and user name under he wants to
share data?) and sends his data to the server.
Further if he wants to do app-in purchase he uses the same
credentials.
If it's even possible? If I can't use Apple credentials to send data to my server, if it's possible to use other credentials (my email, or OAuth) to make app-in purchase? I don't like to idea to make user enter different credentials twice.
Thanks!
I'm working on an iPhone app that is logging into a webservice and it's been asked of me to get the account login management into the settings page (i.e. next to Twitter, Facebook and Vimeo). From what I've been reading about the accounts framework, it appears that only those few companies have that ability.
I currently have it set up and working asking for login info periodically and polling the webservice for validation, but we're trying to move toward supporting moderately offline use, which means we need to have some sort of account info managed on the phone itself.
Can I use the built-in account framework for our own login credentials or is that not something that's available to a regular dev and I'll have to look for another way to do it on my own? Is that something that the keychain would be better for?
Using the keychain to securely store the users credentials is a good idea to start.
If I am understanding your question about a "built-in account framework", I don't believe there is a local framework for account management on the device itself that I am aware of that would be useful in this circumstance.
I've had to build an app that needed to authenticate to a web service that also needed to have some offline access. I ended up recording the validated authentication date and time in the NSUserDefaults and would let the user use the app for a 48 hours period before they had to re-authenticate. Their data was queued locally and when they had online access again, I would re-authenticate and then sync the data. Not the most elegant solution but it fit the project.
I used AFNetworking (http://afnetworking.com) to track the changes in network access and used to blocks to respond to the changes.
I'm new to Facebook development and I'm running into trouble with what seems like it should be an easy task. I am building an iOS app for a client, and that client wants to display a number of their most recent status updates in the app, along with a link to their Facebook page. These statuses should be displayed to the user of the app even if they are not logged into Facebook or do not have a Facebook account saved on their device.
My research so far seems to indicate that I'll need to make a request to the Graph API using a user access token (which I can do successfully in the app using a token copied and pasted from the Graph API Explorer), but it seems that the only way to get a user access token from within the app is to log the user of the app into Facebook using their account credentials. This is not a good solution because I need to be able to display the client's statuses to the user whether they have are logged into a Facebook account or not. Is such a thing possible, and if so, how? I've been all over the docs and can't find a conclusive answer either way.
I know that we would approach it quite differently. We would have our own web service periodically pull what we needed off of google and store it on our own server, then we would use AFHTTPClient to pull this information down to our app. That way we wouldn't have to spoof anything with FaceBook or put any requirments on our users, such as logging into facebook. It would require that you have a service that your client maintains (or you could easily contract that for a cost).
The app should be uploading videos from iOS devices directly to our own YouTube account (not user's account).
In every scenario I came across you need an Access Token that you can get only from user logging in through OAuth2 (window popping up). Obviously, we can't give everyone username and password from company account. I was imagining using some key that uniquely identifies the app and YouTube user account to use.
Any solution / pointer? Thanks.
I ended up using deprecated Client Login. We still need to figure where to store passwords (either in the client app, or fetch them from backend every time), but that's already a huge progress.
Unfortunately, Google says Client Login will be removed in 2015. We can just hope they'll come up with non-interactive auth method requiring no user interaction by then.
we are developing an iOS App using Adobe Flex/Air. The app uses a web service that needs user authentication via facebook login. At the moment, we use server side authentication: There's a login URL displayed in a WebView where the facebook login is done. This way, we get an access_token that can be used on the server side.
This works perfectly but it would really be much better if we could use Single Sign-on with the facebook ios app. As far as I have read, this should work on the client side but I haven't found a way to authenticate the user on the server side.
facebook's access_tokens are valid either for use on the server-side or for the client side so an access_token from the client-side login won't work for the server side.
Thanks in advance for your ideas,
Henk
As far as I can see, you're making this far more complicated than it's really intended to be. Leverage the Facebook iOS SDK, and all of the heavy lifting involved with authenticating the user within your app is handled by the Facebook SDK. There's no need to independently provide sign-in sheets and manage access token exchange between the app's local storage and Facebook's servers without the convenience of the entire Facebook SDK.
This link shows you how to implement SSO natively within your iOS app. It's real simple.
http://developers.facebook.com/docs/mobile/ios/build/#implementsso
Then, I understand that you're keeping authentication information or central user database information on an external server. The best way to synchronize the information between the FB client and your own servers is to simply check the login information returned by the FB SDK with your server after you receive it.
Here's a simple breakdown:
Log the user in using Facebook's standard SDK (see the link above).
In the -didLogin method (or whatever the equivalent is in your Adobe AIR environment), check the access token returned by FB with your server. Not sure what server architecture you're using, but it's safe to say that this will go on outside of the FB SDK. Also, save the access token in your app's user defaults so that the user won't have to login again next time. This whole process should (and inherently will) feel much quicker than it sounds.
If the check with the server returns successfully, notify the user of a successful login. If not, display an error view explaining the reason the user was rejected/not logged in.
Why do it this way? The reason is fairly simple. It's safe to assume that the reason you're having a user login to your app via Facebook is so that you can make requests for the user's Facebook information (i.e. feeds, photos, likes, comments, etc.). The easiest (and best) way to do this is through the FB SDK its self. The SDK takes care of a lot of stuff behind the scenes like access token validation over time, extension of token life, validity of token, and so on. This way, you won't have to worry nearly as much about syncronizing the server information and real-time client information when changes take place. Just authenticate via the FB iOS SDK, and do the rest of your own processing afterward.
Comment below if there's anything I should clarify or even if I missed the point of your question entirely--I tend to get on a roll and may stray from the point. :)
Cheers!
The Kraken