问题
So I need to create a REST API to provide functionality to an IOS app. We allow users to sign up with just a plain account OR with Facebook/Google login.
I have been reading up on OAuth lately and I think I understand the process of how I would use OAuth in my situation (when users using Facebook/Google login) to register an account on my app:
- I register my IOS app with various social providers (eg. FB/Google). I end up with client ID/client secret keys that I safely store in the backend.
- Now the user clicks that social login button on the app which would then redirect the user to the social website to login and give permissions for my app to use their social account.
- The social oauth provider will redirect user back to my server with an authorization code.
- Once my server has the authorization code, I will then use that, client id and secret (or whatever other specific credentials needed) to retrieve an access token from the social oauth provider.
- Now I have the user's access token and can use their social resources for some period of time (yay).
- Once I have their social access token, I then also issue a generated access token for the app to use when making requests to my REST api (the app will only communicate to my REST api from now).
My questions:
- Is the above process a good practice?
- Let's say the user logs out from the app (not from their social account!). I still have their social access token but I destroy the other token I issued to them for using my REST api. Now the user comes back to login into my app using a social login (eg. Fb/Google). How will I re-authenticate these users? I know I would not need the user to provide permissions again but how can I know they are legitimate users of Fb/Google and also have an account on my server side? What would Fb/Google provide back to the app upon a successful login so that I can send back to my server saying: "Yep this user is a legit social user of Fb/Google.". In the above registration procedure, a social oauth provider would provide an authorization code. What would I get in in this case (subsequent logins)?
Basically, I need to find a way to reissue an access token to my REST API to the successful relogged in FB/Google user of the app.
回答1:
To answer to your questions,
- Is the above process a good practice?
Yes, this is indeed a good practice, why you ask?. You are not storing the client Id/Secret in the mobile end, and you are just redirecting to the social provider site of Oauth authentication, and communication happens between server to server, which is also considered secure.
Regarding the Access Token of third party provider, unless you want to access any resources on social provider later, you don't have to store any of their access token, i.e once you authenticated, you can safely discard their access token and generate your own
For the second question,
You don't have to worry about it, i.e once the user logout you just have to revoke accessToken issued by you.
Regarding the Oauth process, you just have to redirect to the oauth Flow for social provider (and not worry about whether user is logged in or not), the social provider will take care of it, you will be getting the authorization code in the end, you just have to process it as if its first time.
Hope this answers your questions!
来源:https://stackoverflow.com/questions/37515836/reauthenticate-user-from-google-facebook-accounts