发表新帖
发表新帖

REST API for website which uses Facebook for authentication

前端 未结
关注
3 1246
刺人心
刺人心 2020-11-30 16:29

We have a website where the only way to login and authenticate yourself with the site is with Facebook (this was not my choice). The first time you login with Faceb

3条回答
  • 醉梦人生
    醉梦人生 (楼主)
    2020-11-30 16:54

    I am trying to answer the same question and have been going through a lot of reading recently...

    I won't have "the" answer but things are getting a little clearer for me. Have you read the comments in the article you mentioned? I found them really interesting and helpful.

    As a result, and in the light of how things have evolved since the first article has been written, here's what I think I'll do:

    • HTTPS everywhere — this allows you to forget about HMAC, signing, nonce, ...

    • Use OAuth2:

      • When authentication requests come from my own apps/website, use this 'trick' (or a variation of it) described in a reply to the article mentioned before.

      • In my case, I have two types of users: those with classic login/password credentials and those who have signed up with Facebook Connect.
        So I'd provide a regular login form with a "Login with Facebook" button. If the user logs in with his "classic" credentials, I'd just send these to my OAuth2 endpoint with a grant_type=password.
        If he chooses to log in via Facebook, I think that would be a two-steps process:

        • First, use Facebook iOS SDK to open an FBSession
        • When that's done and the app is given back control, there should be a way to get a Facebook ID for that user. I'd send this ID alone to my OAuth2 endpoint with an extension grant understood by my server as "using an FB User ID".

    Please note that I am still heavily researching on all this stuff, so that might not be a perfect answer... maybe not even a correct one! But I think that would make for a good starting point. The idea of using an "extension grant" for the Facebook authentication might involve having to register it to do things properly? I'm not quite sure.

    Anyway, I hope I was able to help you even a bit, and that at least it can start a discussion to find the best solution to this problem :)

    Update
    The Facebook login is not a solution as pointed in the comments: anybody could send an arbitrary user ID and log in as this user on the API.

    What about doing it like this:

    • Show a login form with a "Facebook login" button
    • If this login method is chosen, act kinda like the Facebook SDK: open a web page from your authentication server, which will initiate the Facebook login.
    • Once the user has logged in, Facebook will use your redirect URL to confirm; make that URL point to another endpoint of your authentication server (possibly with an extra parameter indicating the call came from an app?)
    • When the authentication endpoint is hit, the authentication can securely identify the user, retain its FB User ID/FB Session and return an access token to your app using a custom URL scheme, just like the Facebook SDK would do

    Looks better?

    0 讨论(0)
 看不清?
提交回复
热议问题