Best IT Recipes

Re-authenticate users from Google / Facebook accounts

Therefore, I need to create a REST API to provide the functionality of an iOS application. We only allow users to sign up with a simple account or with a Facebook / Google login .

I read OAuth lately and I think I understand the process of using OAuth in my situation (when users using Facebook / Google login ) register an account in my application:

  • I am registering an iOS application with various social providers (e.g. FB / Google). As a result, I have secret keys for the client / client identifier, which I confidently store in the backend.
  • Now the user clicks this social login button in the application, which then redirects the user to the social website to log in and gives permission for my application to use his social account.
  • The social provider will redirect the user back to my server using an authorization code.
  • After my server has an authorization code, I will use it, client ID and secret (or any other special credentials) to get an access token from a social service provider.
  • Now I have a user access token and can use their social resources for some period of time (yay).
  • After I have a social access token, I also issue a generated access token for the application that will be used when accessing my REST api (the application will only communicate with my REST api).

My questions:

  • Is the above process a good practice?
  • Let's say a user logs out of the application (and not from his social account!). I still have my social access token, but I'm destroying another token that I gave them for using my REST api . Now the user returns to enter my application using a social login (for example, Fb / Google). How will I re-authenticate these users? I know that I don’t need a user to grant permissions again, but how can I find out that they are legitimate Fb / Google users and also have an account on my server side? What will Fb / Google return to the application after a successful login so that I can send it back to my server, saying: "Yes, this user is a legitimate social user of Fb / Google." In the above registration procedure, the social provider must provide an authorization code. What would I get in this case (subsequent logins)?

Basically, I need to find a way to reissue the access token in my REST API in order to successfully reuse the application in the FB / Google application.

+3
authentication ios facebook oauth
May 29 '16 at 23:14
source share
1 answer

To answer your questions,

  • Is the above process a good practice?

Yes, this is really good practice, why are you asking ?. You do not store the Id / Secret client at the end of the mobile connection, and you simply redirect to the site of the social authentication provider Oauth, and data is exchanged between the server and the server, which is also considered safe.

As for the third-party access token, if you do not want to later access the resources for the social provider, you do not need to store any of their access tokens, i.e. after authentication, you can safely refuse your access token and create your own

For the second question

You do not need to worry about this, that is, as soon as the user logs out, you just need to cancel the accessToken you issued.

As for the Oauth process, you just need to redirect to oauth Flow for the social provider (and not worry about whether the user is logged in or not), the social provider will take care of this, you will receive an authorization code in the end, you just need to process it , like the first time.

Hope this answers your questions!

+2
May 30 '16 at 8:13
source share


More articles:


All Articles