I am doing a back end for an iOS application in Rails. Users should be able to log in to the application using the username / password for the specific application or via Twitter, but I'm not quite sure how to set up the login order through Twitter.
If I use OmniAuth, then it seems that the flow is as follows:
- IOS app directs users to Safari to the / auth / twitter page that OmniAuth installs for me
- The / auth / twitter page sends the user to Twitter for OAuth authentication.
- Twitter returns the user to / auth / twitter / callback, and OmniAuth gives me a complete hash containing the information
- ????
- The iOS app now has the credentials needed to identify the user making requests when he calls my APIs.
- Authentication is complete, use of the application continues as usual
Step 4, returning the credentials to the iOS application, I do not know how to configure. All of my APIs called by iOS app apps are stateless; if they require an authenticated user, then the user credentials are included in the API call. I am not very good at writing iOS apps and almost nothing about how apps interact with Safari.
What is a safe way to return user credentials to an application? One who cannot be traced? If I have a callback page that puts information in cookies or in a session, will it be accessible to the application, but no one will monitor the traffic?
Alternatively, if the application attaches some identifier for itself to the first call / auth / twitter, Twitter and OmniAuth save that identifier so that it is included in / auth / twitter / callback so that the application can then ask my end for credentials for authentication, which has just been associated with this identifier?
source share