How to authenticate REST API with Stormpath Facebook integration

Question

I am designing a simple REST API with Stormpath Facebook integration and wondering what would be the best pattern for user authentication. Currently I do not have any endpoint for user creation, so all requests to my endpoints are authenticated like this:

1. Get Stormpath Application object based on API_ID and API_SECRET configured in my app
2. Get Stormpath Account object based on Facebook token specified in every request
3. Based on account status authenticate request or reject

This follows more or less official guide and works fine because even though user account does not exist it will be created upon first get account request to Stormpath. Does it make sense and is it safe enough? I was looking for some documentation or best practices but could not find anything.

I would also need to get / generate unique user ID so I can make some relations with user data in my system - so another question, what is the best approach here:

1. Generate some unique ID, associate it with user email got from Stormpath and save in my system - I think this violates a little bit idea of such a service like Stormapth which encapsulates all user data
2. Do the same as above but store it in Stormpath Account customData
3. Use Stormapth user resource ID which can be obtained from user URI

Please advice.

Just for the record I am using Stormpath Java SDK and designing the API to be a backend for mobile social app so security is quite important for me.

Answer 1

Full disclosure, I manage Product @ Stormpath. I'll be using your feedback to enhance the documentation.

It is hard to say if it is safe or not, without understanding the REST API you are building. If you made a REST API for cat pictures, my answer would be different compared to medical / financial information. One way to look at it, is that Facebook has the Graph API (REST) and they protect access requiring the same access token you are using. There are other flags that would cause me to say it isn't safe, like if you were using HTTP with no TLS.

To your second question, how to link Stormpath with your data. I wouldn't say you would violate anything about Stormpath by modeling out your application that makes sense to you and your app. Stormpath has customers that store EVERYTHING about their users in Stormpath. Stormpath also has customers that use Stormpath solely for authentication and authorization data and use customData to draw the link between a Stormpath user account and their data.

How / where you store the information is based on your needs. If you are starting with authenticating the user account with Stormpath, it would make sense to put the unique identifier / primary key in the user account's customData. If you are starting with querying your data store for the user data and need to get the Stormpath user account, then you will need to store the href for the user account in your data store.

A nice feature in the Stormpath SDK for Java is that when you do authenticate with Facebook, the returned object will disclose if the account was newly created or if Stormpath has existing account for the access token:

https://docs.stormpath.com/java/apidocs/com/stormpath/sdk/provider/ProviderAccountResult.html

This means that you will know when you need to create a record for the account in your data store and connect the two using customData and/or the user account href.