stackoom
  简体   繁体   中英

How can I authenticate my mobile application and underlying server using Facebook?

 原文  2011-03-02 18:44:56       iphone/ python/ django/ google-app-engine

Question

The behaviour I want is simple:

  1. User starts up the application.
  2. User is prompted for their Facebook username and password.
  3. On successful login, user is now authenticated for the application and the web server. There is now a user in the server associated with the Facebook ID. All further HTTP requests will have a cookie that is authenticated on the web server.

There are a few problems with this behaviour, as far as I can see.

Facebook

You cannot login programmatically, according to the terms of service; sign on must be done via the Facebook website or SDK, both of which are interactive. Therefore, I cannot create my own form, pass the username and password to my web server, login there and respond with the successful cookie set.

Security

If the user logs in via the application, they are authenticated for the application only. Passing the Facebook ID to my web server could be done, but considering how easy it is to find out a user's FB ID, it would be very easy to spoof the server. I've considered auto-generating a password in the application, but this only reduces the window for spoofing and doesn't close the hole entirely.

(Security isn't actually a big deal for my project, but I don't want to leave such an obvious hole.)

My technology is iOS 3.0+ for the mobile application and Google App Engine for the server, running a modified version of Django.

The solution I've worked out, which I believe works around the limitations, is as follows:

  1. User starts up the application.
  2. Application checks whether the currently set cookie is authenticated on the server.
  3. If not, open Safari via URL scheme to actual page on web server with option to login via Facebook (or any other authentication systems I add at a later date).
  4. User authenticates and server creates user (if necessary) associated with the Facebook ID.
  5. Successfully logged in, server redirects to page that calls mobile application URL scheme with the cookie ID as a parameter.
  6. Success?

So, my question: am I doing the right thing? Are any of my assumptions wrong?

1 answers

solution1
 -1  2011-03-10 12:47:59

您可以尝试使用OAuth框架

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Why can't I authenticate to Facebook Chat in my iOS application? how can i get friends list from Facebook who using my application how i can authenticate Facebook access token using xmppstream object in iPhone How do I make my iPhone application pass in my Facebook auth token to my web server? How can my server securely authenticate iPhone in-app purchase? Can I use JQuery MOBILE as the codebase for my simple Facebook App? How can the mobile application use the API and prove that the Facebook ID it wants to modify is logged in and authorised on Facebook? iPhone app using facebook connect login to authenticate with web server possible? Authenticate a mobile app on the server side How can I Login my iPhone application using Twitter Account?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM