Using spring-security-facebook grails plugin from an android app

Question

I have been using spring-security-facebook grails plugin in a website and it works like a charm.

In fact, it works so well, that I haven't had to dig too much into how it works and that's probably why I am stuck right now.

I have a webapp that exposes a json REST API . Authentication can be done using user/password or by using facebook credentials, and for that I've been using this plugin. I just need authentication and user's email. I've been using the redirect filter for this purpose (FacebookAuthRedirectFilter). It works perfect in this context.

Right now I am trying to build a mobile application using phonegap, so my mobile app is purely html,js and css, and want to interact with the same webapp using AJAX requests.

The problem arises, because in the mobile app context, the html files are local (and they need to be this way),as they are bundled with the application.

My question is how can I authenticate user in this case?

If I leave as it is, after a succesfull login the mobile app will be redirected to the webapp's domain, and will stop getting the local html files, which is not what I want.

I suppose I need some sort of client authentication, and then send an AJAX request to my webapp adding the facebook cookie somehow, so subsequent AJAX request to the webapp are already authenticated.

But I may be totally wrong and it should be done in a different way.

Any help will be really apreciated.

(I can elaborate or add any clarification if is not clear, just ask).

EDIT

After going through Igor's suggestion, I have made some changes in the plugin to have the FacebookAuthDirectFilter in place to test the signedRequest approach, and also I have integrated phonegap-facebook-plugin in my phonegap App.

I can succesfully login to facebook in the device, but I am not able to retrieve the signedRequest in the mobile side.

As this thread suggests JS SDK getLoginStatus doesn't return userID nor signedRequest , it may not be possible to get the signedRequest in this case.

However, I have the userId and the access_token in the mobile side, which is all I need (I think) to get the user info. Can I authenticate a user with this info in the spring-security-facebook grails plugin? (The FacebookAuthRedirectFilter uses a 'code' I don't have)

There's another tweak here, because the access_token is different if the user connects through a common web site and if the user connects from the mobile. The plugin stores one, and I am not sure what implications it may have.

thanks a lot!

Answer 1

I think you should make authentication on your side (I believe Android can do that) and provide authentication tokens to server (AJAX call).

But the problem it's not really supported by the plugin, at this moment. Plugin have FacebookAuthDirectFilter filter for this purpose (but it's not tested and not documented).

This filter currently accepts only Signed Request as parameter named signedRequest . Btw, with next release it will support Access Token as parameter.