Good morning everyone,
So we decided to create an iOS app and to do so, we added a REST Web-Service with TastyPie to our app. Everything is great so far... but we have a small problem.
On the iOS side, we are using RestKit and we are faced with the authentication problem. We can make the user login, but Django needs to return something back to the iOS App in order to retain the session and access the rest of the possible API after the user has logged in.
On the web side, we are using Django Sessions and Cookies. Should we just send back the session and store it in the HTTP header in iOS? OR, I have seen that we could use the ApiKeyAuthentication. Does that mean the HTTP Header would always have the ApiKey in its header, as well as the username? Is that even safe?
I am kind of confused, so thanks a lot!
Related
I'm creating an iPhone app that will allow users to log in with Twitter and for the app to then be able to post on their behalf.
Is it better to make post requests to Twitter from the app or from the server? Why?
For my app I found it easier to do it on the client. If you are looking for a iOS twitter library I have it here https://github.com/narup/PSTwitterEngine Though, you can still post using iOS native twitter support. You will need this library if you are using browser based authentication
Also, didn't want to write extra code on server since i am writing server myself :)
I am trying to create an ios App that talks to a backend API written in nodejs. The backend also has an accompanying webapp also written in nodejs. The idea is that you can login (using facebook-js) on either the app or the webapp and post things to to.
My question is this, let's say that the user decided to login using the ios App, then call some backend API method to post an article, how do I make this work without essentially forcing the user to login twice?
Not sure if I'm making sense, any help would be greatly appreciated!
As Facebook uses OAuth for the client authentication, it's relatively easy to store the Access Token resulting from the login process somewhere on your server, and use them later.
Have a look at Design for Facebook authentication in an iOS app that also accesses a secured web service
Also, see https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.1 which outlines the login process and the storage of Access Tokens.
Hello me and friends are planning on taking on a big project. My two friends are going to be building iOS and Android apps and I will be making the server back end. I recently started developing with RoR and have fallen in love with Ruby. Now here are my questions:
Little more background:
I only want a private API for the android and iPhone app. I do NOT want a full fledged OAuth authentication process. Doing some research I think I will go with basic HTTP authentication.
1. My App uses cookie based authentication meaning a cookie has to be passed with each subsequent request. So will my friends need to have to store a cookie and on each subsequent request to the server send the cookie along with it?
2. How do I go about making the API private? I know in OAuth there are consumer secret and consumer key. I know if anyone could simply figure out the URL schema they will be able to have access to the API. How do I protect my back end from request from unknown users? (Hard coding strings in the Apps themselves?, Checking headers for device type?)
3. Should I only build the API now and worry about a web app later? Or would it be too horrific of an experience to go back and build a web app (Although I really do actually want the web app to be more significant than the mobile app
Here is a great article explaining exactly what you're looking for : securing an API without setting up a full OAUTH provider :
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
Works great (even if the solution is finally not so far from oauth ;)
I have a process that pulls all of the User's profile photos through a NET:HTTP connection. The problem is that I don't know if a user's account is using HTTP or HTTPS- the process works fine if I get this detail right. Is there a good, reliable way to have the Koala gem surface the user's security level?
I've been digging through the FB apis and cannot find any info on this. Hoping for some suggestions.
I resolved this issue by circumventing it entirely. I re-architected the applications to communicate with each other, rather than each making their own requests to the FB Graph.
The app that connects to the FB api dumps the content I need in the db, then a request is made to the other app (with the id of the new record). That app then calls back to the FB app, which provides a json service containing everything the other app needed from the graph. Completely eliminates http/https issues and authentication issues.
we are developing an iOS App using Adobe Flex/Air. The app uses a web service that needs user authentication via facebook login. At the moment, we use server side authentication: There's a login URL displayed in a WebView where the facebook login is done. This way, we get an access_token that can be used on the server side.
This works perfectly but it would really be much better if we could use Single Sign-on with the facebook ios app. As far as I have read, this should work on the client side but I haven't found a way to authenticate the user on the server side.
facebook's access_tokens are valid either for use on the server-side or for the client side so an access_token from the client-side login won't work for the server side.
Thanks in advance for your ideas,
Henk
As far as I can see, you're making this far more complicated than it's really intended to be. Leverage the Facebook iOS SDK, and all of the heavy lifting involved with authenticating the user within your app is handled by the Facebook SDK. There's no need to independently provide sign-in sheets and manage access token exchange between the app's local storage and Facebook's servers without the convenience of the entire Facebook SDK.
This link shows you how to implement SSO natively within your iOS app. It's real simple.
http://developers.facebook.com/docs/mobile/ios/build/#implementsso
Then, I understand that you're keeping authentication information or central user database information on an external server. The best way to synchronize the information between the FB client and your own servers is to simply check the login information returned by the FB SDK with your server after you receive it.
Here's a simple breakdown:
Log the user in using Facebook's standard SDK (see the link above).
In the -didLogin method (or whatever the equivalent is in your Adobe AIR environment), check the access token returned by FB with your server. Not sure what server architecture you're using, but it's safe to say that this will go on outside of the FB SDK. Also, save the access token in your app's user defaults so that the user won't have to login again next time. This whole process should (and inherently will) feel much quicker than it sounds.
If the check with the server returns successfully, notify the user of a successful login. If not, display an error view explaining the reason the user was rejected/not logged in.
Why do it this way? The reason is fairly simple. It's safe to assume that the reason you're having a user login to your app via Facebook is so that you can make requests for the user's Facebook information (i.e. feeds, photos, likes, comments, etc.). The easiest (and best) way to do this is through the FB SDK its self. The SDK takes care of a lot of stuff behind the scenes like access token validation over time, extension of token life, validity of token, and so on. This way, you won't have to worry nearly as much about syncronizing the server information and real-time client information when changes take place. Just authenticate via the FB iOS SDK, and do the rest of your own processing afterward.
Comment below if there's anything I should clarify or even if I missed the point of your question entirely--I tend to get on a roll and may stray from the point. :)
Cheers!
The Kraken