Reputation:
Storing authenticated facebook users in a Database
I'm trying to find the correct way to store in a database & authenticate a user who logged into my app using facebook:
So the first time the user logs into the app, a webservice 'sees' this user isn't in the database and inserts its data. The second time the user logs in, the app contacts the webservice and gets some information about this user, only available to the user himself, such as his api key for communicating with the webservice.
But this requires authentication, so the webservice won't give the api key to anyone but the user. It's easy to authenticate the client using facebook on client-side, but then how would the webservice know this authentication took place? I've read a lot on this issue here on SO and came to realize I should store the (hashed) OAuth access token as the user's password, and then send this token on login to the webservice so it could match between the stored token in the database and the received token, thus authenticate the user.
But, tokens expire. So when this token expires, the user should re-authenticate on client-side using facebook and the webservice should recieve a new token. At this point, the webservice would try to match between this new token and the old one stored in the database, and it would fail. So the webservice should update the token and then authenticate it but how can the webservice know that this token has originated from the app and is valid, and not a token sent by someone else? How can the webservice even know the old token expired, and not that someone is just trying to cause this token replacment to occur (eg. an attacker sending random password). This token replacement basically breaks the whole point of storing the token in the first place, since any different token would just replace the old one.
So basically the problem is - how can I securely update an existing user's token once the previous one expired?
I apologize for the long text to read, I've been studying this issue for 2 days now and I'm just missing something important.
Upvotes: 1
Views: 1302
Answers (1)
Reputation: 1430
If the user has already authorized your application. Facebook will return you a valid access token without any user facing dialog. However if the user has de-authorized your application then the user will need to re-authorize your application for you to get the access_token.
You should read this, hopefully help your understanding :-)
https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
It's for PHP but should translate into android.
Basically you just request a new token with the stored oauth data.
Upvotes: 1
Related Questions
- Authentication between Android app and web service + facebook login
- Facebook login in android app: what should I save in the database to know this user is logged in at the future?
- Store Facebook user in Firebase
- Facebook login for Android app : best practices
- Android Facebook login and to web server
- How to securely implement Facebook login and design database?
- Storing android facebook login data to parse
- web service using facebook authentication and android client
- Facebook authentication Android
- Authenticate User via Facebook Connect Android