Reputation: 83
Facebook, Node & Mobile app - pulling together
I'm trying to build a Facebook-authenticated native mobile app (Windows Phone) that connects to a web service I am creating in Node.
I'd like for a user to:
- Log in to Facebook on the mobile app via a native UI or web window
- If logged in successfully, create or access server-side user account data tied to that identity
- Use the authenticated session to make subsequent authenticated requestsvto that user's data via the native mobile app
My question is: What's the best approach here?
Should I...
- Log in the client to facebook locally in the mobile app and pass the Access Token to the node service, and then somehow map the user to my service data based on their facebook account id? That seems grossly insecure if I just pass that token in the URL.
- Log the user in via a mobile browser window inside my app, and then redirect back to my Node service in the same window? How do I then make subsequent authenticated requests natively in my app?
- Do something else entirely?
Sorry this is so open ended but this is the first time I have tied these things together and although there's a lot of info on each part I've yet to find something that describes the overall pattern / best practice for this design.
Upvotes: 0
Views: 422
Answers (1)
Reputation: 9636
Your question is quite opinion based...but still I will try to help.
First of all, you can pass access token in url, its not insecure if you use https. Even if logged into facebook from your mobile app, than also its going to pass a access token in url only. If you mean having the token in http://something.com/access_token, than its not how its should be done.
If you look into the Oauth 2.0 draft you will understand that its done through setting a header Authorization with the value being the token and token_type. Take a good look at the draft.
As your solution I think its fine if you just use the first method mentioned in the question by sending the access token in header as I mentioned in your app and in turn authenticating that token from facebook on each request. If you think this is just too long a flow for authenticating every request from facebook, than you can get access token by sending request from your mobile app to server and let the server handle the access token and store it in database which you can authenticate each request. In any case take a look at Passport module, it has facebook and other auth built-in and should be sufficient for your needs.
Upvotes: 1
Related Questions
- Node API Facebook Auth from a mobile
- Android Facebook login and server side authentication
- Facebook Login for Windows Phone 8.1
- Facebook client login for windows phone 7
- Windows Phone 8 Facebook Authentication
- Facebook Authentication for a Web API service/mobile app
- Facebook or Twitter authentication with iPhone client and node.js server
- Facebook authentication with WP7
- Authorizing A Native WP7 Applications Using Facebook C# SDK
- Performing authorized (through facebook) REST requests to my node.js server on a PhoneGap app