Facebook login on mobile app through a rails app

Hi folks.

I’m building a rails app that provides an api for a mobile app.

The mobile app requires the user to login through his facebook account.

My question is about who should be responsible for requesting the login.

The mobile app or the rails app.

Hi folks.

Hi,

I’m building a rails app that provides an api for a mobile app.

I have the same setup.

The mobile app requires the user to login through his facebook account.

My question is about who should be responsible for requesting the login.

The mobile app or the rails app.

So far, the mobile app login using the Facebook SDK and use that information to log into the Rails app. The Rails server uses Devise+Omniauth.

Right now I am not really happy with this since I can’t figure out how the Rails app can use the login information retrieved via the mobile app to interact with the Facebook platform.

I will write more as soon as I have further information.

Regards,

The mobile app should do the login process. It then should send to the server the “access token” given by Facebook.
With this token you are able to identify your user through the “graph api”.

Ignacio Piantanida

Well this is point where I am stuck. As describe here : https://developers.facebook.com/docs/howtos/login/server-side-login/ I understand how works the server-side authentication process and it works well using a web browser. What I don’t really understand are the steps the mobile app has to do. Does it have to follow all the redirection ? That could imply to write a lot of code on the mobile app side. It does not look like just a couple of GET and POST to send.

To be clearer I don’t understand how do you send the access token from the mobile app to the server. Currently I have two entry points in my JSON API to authenticate. One for the custom authentication (using the account for my web app, setup by devise) and another one for the facebook authentication through the server-side flow (provided by omniauth). Should I add another entry point to pass the access token ? It looks like a security hole to me.

Thanks for all the answers, folks.

I come to think that the flow to make this work would be the following:

1- Mobile App log into facebook and get the access token

2- Mobile App log into the web application with whatever method it’s been used for authentication passing along the access_token it got from facebook

3- Once logged in successfully, the rails app uses the mobile’s access_token to interact with facebook

Is it right?

Yes. I also think this is the way to go. Apparently OAuth2 can do the authentication using an access_token: http://rubydoc.info/gems/oauth2/0.8.0/frames

I am trying to get this work with omniauth and devise.

Finally, I got it right and there is no security hole to pass the access token. It should be done via https, though.

I am interested in doing this as well. My setup is the same.

On ‘sign up with facebook’, do you create a devise user and password in the rails api? What would the password be? or can devise be set to handle the two scenarios?

I was thinking storing the oauth token as the password, but not sure if that is secure or makes sense.

Currently I have api calls for setting up a devise user or logging in with a devise email and password, and the token for subsequent calls by that user.

What would be the api enpoints that I need to create to allow both facebook signup and traditional signup?

For traditional sign up I use the json route set up by Devise.

For facebook sign up, I added my own json route which:

1/ take the facebook access token as parameter

2/ check it is valid by fetching user info from Facebook like this:

client = OAuth2::Client.new(

ENV[‘FACEBOOK_APP_ID’],

ENV[‘FACEBOOK_APP_SECRET’],

site: ‘https://graph.facebook.com’)

token = OAuth2::AccessToken.new(client, params[:access_token])

user_info = ActiveSupport::JSON.decode(token.get(’/me’).body)

(the user info are used to create the entry in the DB)

3/ sign in using Devise method: sign_in @user, :event => :authentication #this will throw if @user is not activated

The access token is then stored in the session for later use.

Cheers,

Nico