I am writing a mobile phone app that allows users to register with Facebook. Once registered, users can access personalized information through a Hetley Web service that I will host.
I have seen many mobile apps that appear to be using a similar set-up but only Facebook (or Twitter) authentication for my users, OAuth, I am thinking how it is done ?
I thought, to protect this web service, I can use HTTP basic authentication on HTTPS with the user's Facebook Oath Access Token as my password.
Is it safe? When they register users only through Facebook, how do other apps protect it?
The format usually consists of the following:
- App There is a registered application with FB - which means that he has an app
- When the user is using FB - which is actually happening that they are allowing the app, So that they can view their data, post to their wall, etc. (to allow app requests)
- Once the user is logged in - the app Then they can request their information from FB, as long as it is certified with the service using the app.
Then - in your application, you will usually store the user's FB ID, and when you are requesting for data (or request to post on the wall etc.) - You can submit your app key + along with the user's FB ID, as well as the action you need to take, the FB service then responds with the data you see - or takes action when Till you do it Not allowed.
In a tranquil environment, you are considered to be completely stateless - meaning no sessions are tracked. It is alright, however - because your app already has an app - therefore You only have the user's FB ID per request. If you put the cookie in the ID then it's easy - or manage client-side. how does it work?
When you register your app with Facebook, you will need to supply the url on which you will be hosting that app. It is mainly for supporting cross-site cookies and CORS requests. In other words: As long as your request is coming from the FB-accredited URL, your app is connected with the key, FB knows what user is on your site - because it has full access to its own cookies .
So to enable your site, OAU Trying to use FB in?
This essentially means that FB becomes your log-in system, you are pushing the following:
"Until the FB says that the user That's what they say - I also believe it. "
Such - when a user comes to your site and clicks the "Login using Facebook" button - your site will either get success or failure back. You can find more information about this site in particular, in particular, the following references:
- One Bar FB signals token that the breakthrough is withdrawn - you can say that if a person receives information from the FBI's API, then the person is using your site - if you are looking at your primary key Store your FB ID in your database in It will, for example - you can now filter the results of their own API based on that value.
A round trip can look like this:
- An unauthorized user arrives on your site
- To authenticate with Facebook, a Redirects / Provide Login-In
- Determine the User's Certified Identity by FB Graph API
- Your UI script now request the FB ID received from the graph on its API layer Presents with
- depending on the FB ID API layer filter data gives your user record) - and gives appropriate data
Hope this is useful if you have questions - please ask in the comments, and the more I can do as much as I can Will try to expand
Comments
Post a Comment