开发者

How can I authenticate my mobile application and underlying server using Facebook?

The behaviour I want is simple:

  1. User starts up the application.
  2. User is prompted for their Facebook username and password.
  3. On successful login, user is now authenticated for the application and the web server. There is now a user in the server associated with the Facebook ID. All further HTTP requests will have a cookie that is authenticated on the web server.

There are a few problems with this behaviour, as far as I can see.

Facebook

You cannot login programmatically, according to the terms of service; sign on must be done via the Facebook website or SDK, both of which are interactive. Therefore, I cannot create my own form, pass the username and password to my web server, login there and respond with the successful cookie set.

Security

If the user logs in via the application, they are authenticated for the application only. Passing the Facebook ID to my web server could be done, but considering how easy it is to find out a user's FB ID, it would be very easy to spoof the server. I've considered auto-generating a password in the application, but this only reduces the window for spoofing and doesn't close the hole entirely.

(Security isn't actually a big deal for my project, but I don't want to leave such an obvious hole.)


My technology is iOS 3.0+ for the mobile application and Google App Engine for the server, running a modified version of Django.

The solution I've worked out, which I believe works around the limitations, is as follows:

  1. User starts up the application.
  2. Application checks whether the currently set cookie is authenticated on the server.
  3. If not, open Safari via URL scheme to actu开发者_如何学JAVAal page on web server with option to login via Facebook (or any other authentication systems I add at a later date).
  4. User authenticates and server creates user (if necessary) associated with the Facebook ID.
  5. Successfully logged in, server redirects to page that calls mobile application URL scheme with the cookie ID as a parameter.
  6. Success?

So, my question: am I doing the right thing? Are any of my assumptions wrong?


You can try using the OAuth framework

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜