I need an idiots guide explanation to understand generally how do you authenticate users in your ios app when you have a web based backend? I use tornado and django and understand how to use get/post/delete/update using restkit but theoretically i don't understand authentication requests.
P.S. I have found a good tutorial using restkit for authentication which helped here:
http://benoitc.github.com/restkit/authentication.html
That can be done in multiple ways ill explain the easiest, first lets setup our enviroment, we do have:
www.yourSite.com/login.php: this will take user="name" and passowrd="password", and it will echo back a session ID.
www.yourSite.com/isloggedin.php: to check if user is logged in
www.yoursite.com/logout.php: to logout from your session
First you would call login.php sending the user name and the password (login.php?user=someuser&passowd=pass) this call will echo back a session ID (that will be kept alive for you at the server side)
Then later on you could call isloggedin.php?session=here_set_the_session_returned_earlier, if you didnt log out this will return yes for example
Later if you want to logout you could call www.yoursite.com/logout.php?session=same_session, that will destroy the session saved in the login function
There are alot of other ways to implement this, but in my opinion this is the easiest way
You can use Cookie.
The web server side can respond some cookies when receiving the request that contains username and password information, then the next time app will send request with the cookies the web server has responded.
You can use ASIHTTPRequest, it can handle cookie automatically.
Hope this can help you. :)
Related
I am working on an app which needs the authentication. The backend is built with Flask python, and I am using POST request with a JSON to send the username and password. There are two questions I have actually.
First one, is it unsafe to authenticate with POST and JSON?
Second one, how can I keep the status of log in. I mean, like Facebook App, once user logged in, they don't have to input the password again even the app is restarted.
There is nothing wrong with sending your auth credentials with POST, in fact, that's what you should be doing, never send these information via GET
As for how to keep the status, check out Documentation on the class to store your cookies, then check if they exist.
Also, I assume you know the HTTP status code as well? Just to give you more info, just because your cookies exists doesn't mean the user is also logged in, for example, cookies may be expired (time length depends on your server configuration). So in that case you might want to return status error 4xx. HTTP Status Documentation, and maybe presentViewController(logInViewController, animated: true).
I have a website that users can log into to see their account info.
I would like to build functionality into my iOS app that allows them to log in and see their info in the app. The usernames and passwords are stored in a SQL database.
How can I authenticate the username and password the user types into the app with the database?
If you have better atuthentication system in your web..
then i would prefer you to use the WEBVIEW for your login page. and continues the other using the normal app flow.
there are lot of tutorials for creating username and password login Function in IOS. i dont know whther you are basic or new progrmmer. But try this you may get some idea.
http://www.youtube.com/watch?v=HrZR2SyeoSk.
You can go with JSON serialisation, if you experienced to load data from server.
There are multiple ways you can go about this but at the end of the day you need an endpoint for your iOS application to talk to your web server. This can be done with a TCP connection (little more complicated) or with a RESTful HTTP API endpoint which is generally the way most developers will go.
To get you running up and quickly on the client side have a look at AFNetworking to do the heavy lifting on your HTTP requests. You will then need a URL on your website that the iOS application can query. Abstract things to keep your API on a different subdomain, say for instance by creating a subdomain to handle your API requests. A login example could look like this
http://api.mysite.com/login
For a PHP based REST API here is a tutorial for you, PHP API or you could use a Node.js framework such as Restify
The general practise is to use JSON encoded data when sending requests back and forth from the server, iOS 7 has built in JSON encoding/decoding, node and PHP also have pretty good support.
Once you are able to send and receive HTTP request from your iOS device to your web server it is just a matter of checking the username and password match up on the server side (seems you already know how to do this?) to the ones in your database and sending back a authentication BOOL and option error message if failed.
I'm about to build a console application that needs access to the authenticated YouTube Data API. Calling the API's themselves is not a problem, I know quite well how to make and process HTTPS requests.
I've already gotten the API key and the Client ID. No problems there, either.
The problem is the authentication.
I've checked here: https://developers.google.com/youtube/v3/guides/authentication#installed-apps
On the "Installed applications" tab, in step two, it instructs on how to set up a url to call to do the authentication step. All good so far. But before programming anything, I thought I'd try and see what that url does in the browser.
Turns out it just displays a login prompt. Well how about that. That won't work in this kind of console application. The idea is, presumably, that the user is somehow shown this webpage and be instructed to login and allow access. Then, somehow, by some kind of magic perhaps, the access token is sent back to my console application.
Two things I'm not quite sure about:
1) How do I prompt for the username and/or password in the console app and send that to the authentication URL?
2) How would I get the access token back from it?
The biggest problem is that the API seems to require a browser... Which isn't there. My console application will (eventually) run unattended, so starting up a browser and displaying a webpage and doing nothing until it returns a code, is out of the question. I need to somehow supply the authentication page a username/password and get back the code right away.
I've begun working on the proof-of-concept for an iOS application that we'll be developing that leverages REST-based web services (implemented in Java using restEASY). I will be using RestKit as my client-side services library, and have been reading up on the documentation and some examples.
The vast majority of the services will require that a user be authenticated with a username and password. We have authentication services in place that accept a JSON object containing the credentials, so that part is easy. My question is, how do we handle the iOS piece when a service says that authentication is required?
Imagine this scenario...
A user starts up our app and it recognizes that the user needs to authenticate. A modal view controller pops up, prompts the user for authentication, and submits the request. The user is then able to make a bunch of REST calls with no problem. Eventually, they turn off their phone (app is still active) and come back to it an hour or so later. They click a button to fire off another REST call, but by this time the server-side session has expired.
Ideally, we'd like to be able to recognize that the server has indicated authentication is required, and pop up the modal view controller again. But, does RestKit have support for this? Is there any way for us to register a "global response handler" that is able to recognize that the server has responded this way?
We can return a status code in JSON or use an HTTP status code. We have flexibility on our services. The real question is how to handle this in the ideal way on the client. And, once we've reauthenticated the user, is there any way to replay the request they originally tried to submit? Or, would they have to kick off the action again?
Sorry if this doesn't make sense or if it's a very simple problem to solve. As I'm just getting started with RestKit, I wanted to make sure I was doing this the right way to avoid future problems. Any advice, code samples, tutorials, etc. that you can provide would be GREATLY appreciated.
I would suggest that you make a request to the server in your AppDelegate
- (void)applicationDidBecomeActive:(UIApplication *)application or
- (void)applicationWillEnterForeground:(UIApplication *)application method that sends the old authentication token. The server can then provide a response if the token is valid or invalid.
If your AppDelegate adopts the RKObjectLoaderDelegate protocol then it can handle the response. That way, whenever the application becomes active, the user is prompted to re-authenticate if necessary.
I'm working on an app using facebook & oauth. The app lives inside a facebook canvas, and the authentication is done server side. The app is done w/ Ruby on Rails 3.2, using Koala for dealing with the api (and mongodb as backend, for what it's worth), and hosted on heroku.
So, I supply the heroku url as redirect_url for the callback. Which makes the user go out of the canvas after the authentication, and well, I want it to stay inside. I read a few threads about this that suggested I redirect to the canvas url with js once the authentication is done. I did that, but now it seems that my session token is never set, and the user goes through the auth flow every time he tries to see a non-public page (which means he loops on the welcome page, having an "invisible" exchange with facebook each time).
I don't really get what I'm doing wrong here, so any help is welcome. If you need more informations, just ask.
Thanks for your time!
So I found what was my problem : the page my canvas pointed to was a "public" page, and did not handle anything authentication related, meaning it didn't parse the signed_request, or anything else. I ended up setting a special endpoint for the canvas in charge of handling the signed_request logic, and now it works as one would expect.