we are developing an iOS App using Adobe Flex/Air. The app uses a web service that needs user authentication via facebook login. At the moment, we use server side authentication: There's a login URL displayed in a WebView where the facebook login is done. This way, we get an access_token that can be used on the server side.
This works perfectly but it would really be much better if we could use Single Sign-on with the facebook ios app. As far as I have read, this should work on the client side but I haven't found a way to authenticate the user on the server side.
facebook's access_tokens are valid either for use on the server-side or for the client side so an access_token from the client-side login won't work for the server side.
Thanks in advance for your ideas,
Henk
As far as I can see, you're making this far more complicated than it's really intended to be. Leverage the Facebook iOS SDK, and all of the heavy lifting involved with authenticating the user within your app is handled by the Facebook SDK. There's no need to independently provide sign-in sheets and manage access token exchange between the app's local storage and Facebook's servers without the convenience of the entire Facebook SDK.
This link shows you how to implement SSO natively within your iOS app. It's real simple.
http://developers.facebook.com/docs/mobile/ios/build/#implementsso
Then, I understand that you're keeping authentication information or central user database information on an external server. The best way to synchronize the information between the FB client and your own servers is to simply check the login information returned by the FB SDK with your server after you receive it.
Here's a simple breakdown:
Log the user in using Facebook's standard SDK (see the link above).
In the -didLogin method (or whatever the equivalent is in your Adobe AIR environment), check the access token returned by FB with your server. Not sure what server architecture you're using, but it's safe to say that this will go on outside of the FB SDK. Also, save the access token in your app's user defaults so that the user won't have to login again next time. This whole process should (and inherently will) feel much quicker than it sounds.
If the check with the server returns successfully, notify the user of a successful login. If not, display an error view explaining the reason the user was rejected/not logged in.
Why do it this way? The reason is fairly simple. It's safe to assume that the reason you're having a user login to your app via Facebook is so that you can make requests for the user's Facebook information (i.e. feeds, photos, likes, comments, etc.). The easiest (and best) way to do this is through the FB SDK its self. The SDK takes care of a lot of stuff behind the scenes like access token validation over time, extension of token life, validity of token, and so on. This way, you won't have to worry nearly as much about syncronizing the server information and real-time client information when changes take place. Just authenticate via the FB iOS SDK, and do the rest of your own processing afterward.
Comment below if there's anything I should clarify or even if I missed the point of your question entirely--I tend to get on a roll and may stray from the point. :)
Cheers!
The Kraken
Related
We have an app that has a backend web service. We are looking to implement a user authentication from our native iOS app to the web server. We want our native app to login to the website, get a token to use for requests and expire this token after a period of time (e.g., after 30 days).
We are looking for sample code to show how to do this for a native iOS app.
For example, do we use a UIWebView with the web login url? An advantage of this is that the user registration, forgotten passwords, etc. code for the web is available to the native app. Otherwise, we would have to re-write the registration, account confirmation, forgotten password code for the native app. If we use the web view approach, what do we save in the native app to verify requests from logged in users?
If we re-implement the registration, verification, forgotten password, login code for the native app, what are the things we need to worry about? What is the best way to implement this code? A sample pseudo or real code is appreciated.
My coworker and I just implemented a web view for login into an enterprise app we are building. You have listed many good reasons for this approach, and it works.
I am not an expert in this area, but I will describe what we accomplished in a matter of several days. Hope it helps.
First, the web login page we display is an existing enterprise login system that supports the OAuth2 protocol. OAuth2 is a pretty popular and secure way to support this type of authentication. There is a ton of information about OAuth2 on the web, and it's fairly complicated, in my opinion. The first key to making us successful was having this enterprise login system already available with OAuth2 support. We didn't write any backend code.
Second, we used this open source library to handle the implementation of the OAuth2 protocol in iOS: https://github.com/nxtbgthng/OAuth2Client
As I mentioned, OAuth2 is complicated to implement. The library takes care of most of the complexity, so the amount of code we had to write was small.
Using the library was a bit challenging, but we managed. The library documentation will get you started, but we found this tutorial extremely helpful in getting it all working:
http://www.idmworks.com/blog/entry/getting-started-with-oauth2client-on-ios
Our solution involves a single login view controller which hosts the web view, and a class to manage the keys and URLs needed to configure the library.
With this approach, authentication is handled entirely by the web view. Upon successful authentication, our view controller intercepts the redirect URL and uses the request token it provides to obtain an access token that can be used to access secure resources. The heavy lifting here is handled by library, and our enterprise login system. Our app has relatively little to do. The library stores the tokens securely in the keychain. It also supports a refresh token which allows for silently refreshing the access token, if your backend supports that.
When our app launches, it navigates to the login view controller if the user is not signed in, or to the main view controller if user is signed in.
I'm new to Facebook development and I'm running into trouble with what seems like it should be an easy task. I am building an iOS app for a client, and that client wants to display a number of their most recent status updates in the app, along with a link to their Facebook page. These statuses should be displayed to the user of the app even if they are not logged into Facebook or do not have a Facebook account saved on their device.
My research so far seems to indicate that I'll need to make a request to the Graph API using a user access token (which I can do successfully in the app using a token copied and pasted from the Graph API Explorer), but it seems that the only way to get a user access token from within the app is to log the user of the app into Facebook using their account credentials. This is not a good solution because I need to be able to display the client's statuses to the user whether they have are logged into a Facebook account or not. Is such a thing possible, and if so, how? I've been all over the docs and can't find a conclusive answer either way.
I know that we would approach it quite differently. We would have our own web service periodically pull what we needed off of google and store it on our own server, then we would use AFHTTPClient to pull this information down to our app. That way we wouldn't have to spoof anything with FaceBook or put any requirments on our users, such as logging into facebook. It would require that you have a service that your client maintains (or you could easily contract that for a cost).
We have a web application that supports Facebook and Twitter login/signup via oAuth (and can also post to FB/TW). Now we are building a mobile client and naturally we want people to be able to login-signup via FB-Twitter on mobile as well, on iOS even using system-integrated accounts.
Now mobile app and our server app are two different apps, however, and if I get oAuth correctly, we'll need to have two authentications: one for a mobile client (system account can be used), another one for a server (we'll have to show WebView for it).
Yet some existing apps seem to be fine with single authentication only (e.g. Flickr and Foursquare! At least 4sq seems to be fine with iOS system FB account only. How is it possible?
Do they share consumer key/secret between mobile and web app making it essentially the same app?
Do they use some FB-specific extension to oAuth
Do they only use auth token wherever it comes from making it a user ID?
Something completely different?
Old question, but this may help someone who finds their way here.
Twitter Reverse Auth
I have a process that pulls all of the User's profile photos through a NET:HTTP connection. The problem is that I don't know if a user's account is using HTTP or HTTPS- the process works fine if I get this detail right. Is there a good, reliable way to have the Koala gem surface the user's security level?
I've been digging through the FB apis and cannot find any info on this. Hoping for some suggestions.
I resolved this issue by circumventing it entirely. I re-architected the applications to communicate with each other, rather than each making their own requests to the FB Graph.
The app that connects to the FB api dumps the content I need in the db, then a request is made to the other app (with the id of the new record). That app then calls back to the FB app, which provides a json service containing everything the other app needed from the graph. Completely eliminates http/https issues and authentication issues.
I'm fairly new to iOS development, and I'm starting work on an App that will include some simple Facebook integration. As a proof of concept, I made a bare-bones, view-based application that has a simple button to log a user in to Facebook, and then another button to post a status update.
This is all well and good, but in a real world scenario, a user shouldn't have to login to Facebook every time they want to use the Facebook-integrated features of my App. My question is this: how would I go about persisting a user's login to a file, or to a database for use in a later launch of my App?
Ideally this solution would use Facebook's iOS SDK, but I wouldn't be opposed to building my own authentication system using their Graph API. The advantage of using Facebook's official iOS SDK, though, is that it can use the login information already associated with the phone's Facebook application (if installed), or the login associated with facebook.com on mobile Safari.
I'm not providing my current source code, on the basis that this is a general enough question to not require the specifics of my Facebook SDK usage. However, if you think it would be helpful, I'd be more than happy to post my code.
Thanks!
you wouldn't do that. check out facebook SSO in their SDK ( see https://developers.facebook.com/docs/guides/mobile/ ). You request the facebook token everytime you use it or otherwise get an long-term (read: use access token offline_access) access token and persist this token to the NSUserDefaults for use in your app. ( see http://coffeeshopped.com/2011/01/saving-sessions-with-the-facebook-ios-sdk )