Hi folks. I'm building a rails app that provides an api for a mobile app. The mobile app requires the user to login through his facebook account. My question is about who should be responsible for requesting the login. The mobile app or the rails app.
on 2013-01-16 18:19
on 2013-01-17 09:55
On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP <vitorhp2@gmail.com> wrote: > Hi folks. > Hi, > > I'm building a rails app that provides an api for a mobile app. > > I have the same setup. > The mobile app requires the user to login through his facebook account. > > My question is about who should be responsible for requesting the login. > > The mobile app or the rails app. > So far, the mobile app login using the Facebook SDK and use that information to log into the Rails app. The Rails server uses Devise+Omniauth. > Right now I am not really happy with this since I can't figure out how the Rails app can use the login information retrieved via the mobile app to interact with the Facebook platform. I will write more as soon as I have further information. Regards, -- Nicolas Desprs
on 2013-01-17 19:37
2013/1/17 Nicolas Desprs <nicolas.despres@gmail.com> >> >> > Regards, > > -- > Nicolas Desprs > > > The mobile app should do the login process. It then should send to the server the "access token" given by Facebook. With this token you are able to identify your user through the "graph api". Ignacio Piantanida
on 2013-01-21 11:43
On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida <napoplate@gmail.com>wrote: >> >>> >> I will write more as soon as I have further information. > With this token you are able to identify your user through the "graph api". > Well this is point where I am stuck. As describe here : https://developers.facebook.com/docs/howtos/login/... I understand how works the server-side authentication process and it works well using a web browser. What I don't really understand are the steps the mobile app has to do. Does it have to follow all the redirection ? That could imply to write a lot of code on the mobile app side. It does not look like just a couple of GET and POST to send. -- Nicolas Desprs
on 2013-01-21 12:11
On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprs <nicolas.despres@gmail.com > wrote: >>>> Hi folks. >>> >>>> Right now I am not really happy with this since I can't figure out how >>> > well using a web browser. What I don't really understand are the steps the > mobile app has to do. Does it have to follow all the redirection ? That > could imply to write a lot of code on the mobile app side. It does not look > like just a couple of GET and POST to send. > > To be clearer I don't understand how do you send the access token from the mobile app to the server. Currently I have two entry points in my JSON API to authenticate. One for the custom authentication (using the account for my web app, setup by devise) and another one for the facebook authentication through the server-side flow (provided by omniauth). Should I add another entry point to pass the access token ? It looks like a security hole to me. -- Nicolas Desprs
on 2013-01-21 14:32
Thanks for all the answers, folks. I come to think that the flow to make this work would be the following: 1- Mobile App log into facebook and get the access token 2- Mobile App log into the web application with whatever method it's been used for authentication passing along the access_token it got from facebook 3- Once logged in successfully, the rails app uses the mobile's access_token to interact with facebook Is it right? 2013/1/21 Nicolas Desprs <nicolas.despres@gmail.com>
on 2013-01-21 15:10
On Mon, Jan 21, 2013 at 2:31 PM, Vitor HP <vitorhp2@gmail.com> wrote: > Is it right? > Yes. I also think this is the way to go. Apparently OAuth2 can do the authentication using an access_token: http://rubydoc.info/gems/oauth2/0.8.0/frames I am trying to get this work with omniauth and devise. 2013/1/21 Nicolas Desprs <nicolas.despres@gmail.com> >>> >>>>> >>>>> The mobile app or the rails app. >>>> >>> api". >> > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- Nicolas Desprs
on 2013-01-28 11:21
On Mon, Jan 21, 2013 at 12:10 PM, Nicolas Desprs <nicolas.despres@gmail.com > wrote: >>> >>>>> >>>>> The mobile app or the rails app. >>>> >>> api". >> > To be clearer I don't understand how do you send the access token from the > mobile app to the server. Currently I have two entry points in my JSON API > to authenticate. One for the custom authentication (using the account for > my web app, setup by devise) and another one for the facebook > authentication through the server-side flow (provided by omniauth). Should > I add another entry point to pass the access token ? It looks like a > security hole to me. > > Finally, I got it right and there is no security hole to pass the access token. It should be done via https, though. -- Nicolas Desprs
on 2013-01-28 12:44
I am interested in doing this as well. My setup is the same. On 'sign up with facebook', do you create a devise user and password in the rails api? What would the password be? or can devise be set to handle the two scenarios? I was thinking storing the oauth token as the password, but not sure if that is secure or makes sense. Currently I have api calls for setting up a devise user or logging in with a devise email and password, and the token for subsequent calls by that user. What would be the api enpoints that I need to create to allow both facebook signup and traditional signup?
on 2013-01-28 14:03
On Sat, Jan 26, 2013 at 7:33 PM, <john@triplingo.com> wrote: > a devise email and password, and the token for subsequent calls by that > user. > > > What would be the api enpoints that I need to create to allow both > facebook signup and traditional signup? > For traditional sign up I use the json route set up by Devise. For facebook sign up, I added my own json route which: 1/ take the facebook access token as parameter 2/ check it is valid by fetching user info from Facebook like this: client = OAuth2::Client.new( ENV['FACEBOOK_APP_ID'], ENV['FACEBOOK_APP_SECRET'], site: 'https://graph.facebook.com') token = OAuth2::AccessToken.new(client, params[:access_token]) user_info = ActiveSupport::JSON.decode(token.get('/me').body) (the user info are used to create the entry in the DB) 3/ sign in using Devise method: sign_in @user, :event => :authentication #this will throw if @user is not activated The access token is then stored in the session for later use. Cheers, Nico >>> 1- Mobile App log into facebook and get the access token >> authentication using an access_token: http://rubydoc.info/gems/** >>> >>>>>>> Hi folks. >>>>>> >>>>>> Devise+Omniauth. >>>>>> Nicolas Desprs >>>> https://developers.facebook.**com/docs/howtos/logi... >>> for my web app, setup by devise) and another one for the facebook >>> To post to this group, send email to rubyonra...@googlegroups.**com. >> You received this message because you are subscribed to the Google Groups >> > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-talk/-.... > > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Nicolas Desprs
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.