Ξ'm is working on the backend of a mobile application, creating a RESTful API using ASP.NET MVC 4 Web Api. The application will work on iOS and Android. My users will only be allowed to log in with their facebook account, and only at login will they be able to use all the functionality.
I do not have much experience with mobile applications, and this is more a matter of design. Which of the two scenarios (or maybe the third?) Seems better for you, who should be responsible for facebook authentication:
- Responsibility for the mobile client. Without accessing the backend, he speaks directly with facebook, allowing the user to enter his credentials when he receives the token from facebook, and then he accesses the backend for the first time, passing him the token in each request.
- Responsible API. The mobile client is trying to access the resource from it. The backend does not receive an authentication token from the client, so it redirects to facebook login. The user enters the credentials and responses on facebook back to the backend, passing the token. Then the backend is ready to respond to the clientβs response about the desired resource.
Of course, the second scenario means that the backend must use a package, for example, DotNetOpenAuth to handle OAuth, while in the first scenario all of these happen in the mobile client.
source share