I develop a native android application that done it's authentication, authorization, getting resources using WebApi backend.
After many discussions about what is the best and secure way to implement authentication and authorization using .NET technologies we decided to use Thinktecture's IdentityServer3 .
Before i was follow this series to implement a token based authentication using Asp.NET Identity system, every thing was OK but after investigations i decide to decouple the authentication server and using Thinktecture's Identity Server.
So now i have a separated web apps hosted on azure one for resources and other for authentication using IdentityServer3 and one native Android client .
My Android client application having an authentication using Facebook/Google, and i already implemented this before on android using Parse or separatly based on Facebook Android SDK & Google services
Also Users having roles.
Now i want to know if there is a correct approach for doing that from the authentication server perspective and also client android application perspective as there are many discussions about the configurations of identityserver3 with native apps also should i use a webview activity in android to handle connection with authentication server or using native java code with HTTP library like retrofit to send request and get response.
Also with Facebook, i already implemented authentication directly from android app using Facebook Android SDK and i can get the AuthToken and the approach that i think about is like shown in this question :
If the Facebook API call from web server returns valid authentication, and the user id is equal to the one submitted by Android application, your server can trust the id (& you can be sure that the Android authentication real)
Or should i depend only on backend identityserver to handle Facebook authentication?
you can use the hybrid flow (if you need access tokens and refresh tokens) , also You could use the implicit flow
just have alook at this topic
and about how can you do it, Either, you can do it by doing a combination of web views and hybrid/implicit flow, or do the redirect style to the IdSvr login page. Using resource owner password flow
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.