Facebook login on mobile app through a rails app

Hi folks.

I’m building a rails app that provides an api for a mobile app.

The mobile app requires the user to login through his facebook account.

My question is about who should be responsible for requesting the login.

The mobile app or the rails app.

On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP [email protected] wrote:

Hi folks.

Hi,

I’m building a rails app that provides an api for a mobile app.

I have the same setup.

The mobile app requires the user to login through his facebook account.

My question is about who should be responsible for requesting the login.

The mobile app or the rails app.

So far, the mobile app login using the Facebook SDK and use that
information to log into the Rails app. The Rails server uses
Devise+Omniauth.

Right now I am not really happy with this since I can’t figure out how the
Rails app can use the login information retrieved via the mobile app to
interact with the Facebook platform.

I will write more as soon as I have further information.

Regards,


Nicolas D.

2013/1/17 Nicolas D. [email protected]

Regards,


Nicolas D.

The mobile app should do the login process. It then should send to the
server the “access token” given by Facebook.
With this token you are able to identify your user through the “graph
api”.

Ignacio Piantanida

On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida
[email protected]wrote:

I will write more as soon as I have further information.
With this token you are able to identify your user through the “graph api”.

Well this is point where I am stuck. As describe here :
https://developers.facebook.com/docs/howtos/login/server-side-login/ I
understand how works the server-side authentication process and it works
well using a web browser. What I don’t really understand are the steps
the
mobile app has to do. Does it have to follow all the redirection ? That
could imply to write a lot of code on the mobile app side. It does not
look
like just a couple of GET and POST to send.


Nicolas D.

On Mon, Jan 21, 2013 at 11:41 AM, Nicolas D.
<[email protected]

wrote:

Hi folks.

Right now I am not really happy with this since I can’t figure out how

well using a web browser. What I don’t really understand are the steps the
mobile app has to do. Does it have to follow all the redirection ? That
could imply to write a lot of code on the mobile app side. It does not look
like just a couple of GET and POST to send.

To be clearer I don’t understand how do you send the access token from
the
mobile app to the server. Currently I have two entry points in my JSON
API
to authenticate. One for the custom authentication (using the account
for
my web app, setup by devise) and another one for the facebook
authentication through the server-side flow (provided by omniauth).
Should
I add another entry point to pass the access token ? It looks like a
security hole to me.


Nicolas D.

Thanks for all the answers, folks.

I come to think that the flow to make this work would be the following:

1- Mobile App log into facebook and get the access token
2- Mobile App log into the web application with whatever method it’s
been
used for authentication passing along the access_token it got from
facebook
3- Once logged in successfully, the rails app uses the mobile’s
access_token to interact with facebook

Is it right?

2013/1/21 Nicolas D. [email protected]

On Mon, Jan 21, 2013 at 2:31 PM, Vitor HP [email protected] wrote:

Is it right?

Yes. I also think this is the way to go. Apparently OAuth2 can do the
authentication using an access_token:
http://rubydoc.info/gems/oauth2/0.8.0/frames
I am trying to get this work with omniauth and devise.

2013/1/21 Nicolas D. [email protected]

The mobile app or the rails app.

api".


You received this message because you are subscribed to the Google G.
“Ruby on Rails: Talk” group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit https://groups.google.com/groups/opt_out.


You received this message because you are subscribed to the Google
Groups
“Ruby on Rails: Talk” group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit https://groups.google.com/groups/opt_out.


Nicolas D.

On Mon, Jan 21, 2013 at 12:10 PM, Nicolas D.
<[email protected]

wrote:

The mobile app or the rails app.

api".

To be clearer I don’t understand how do you send the access token from the
mobile app to the server. Currently I have two entry points in my JSON API
to authenticate. One for the custom authentication (using the account for
my web app, setup by devise) and another one for the facebook
authentication through the server-side flow (provided by omniauth). Should
I add another entry point to pass the access token ? It looks like a
security hole to me.

Finally, I got it right and there is no security hole to pass the access
token. It should be done via https, though.


Nicolas D.

I am interested in doing this as well. My setup is the same.

On ‘sign up with facebook’, do you create a devise user and password in
the
rails api? What would the password be? or can devise be set to handle
the
two scenarios?

I was thinking storing the oauth token as the password, but not sure if
that is secure or makes sense.

Currently I have api calls for setting up a devise user or logging in
with
a devise email and password, and the token for subsequent calls by that
user.

What would be the api enpoints that I need to create to allow both
facebook
signup and traditional signup?

On Sat, Jan 26, 2013 at 7:33 PM, [email protected] wrote:

a devise email and password, and the token for subsequent calls by that
user.

What would be the api enpoints that I need to create to allow both
facebook signup and traditional signup?

For traditional sign up I use the json route set up by Devise.
For facebook sign up, I added my own json route which:
1/ take the facebook access token as parameter
2/ check it is valid by fetching user info from Facebook like this:
client = OAuth2::Client.new(
ENV[‘FACEBOOK_APP_ID’],
ENV[‘FACEBOOK_APP_SECRET’],
site: ‘https://graph.facebook.com’)
token = OAuth2::AccessToken.new(client, params[:access_token])
user_info = ActiveSupport::JSON.decode(token.get(’/me’).body)
(the user info are used to create the entry in the DB)
3/ sign in using Devise method: sign_in @user, :event => :authentication
#this will throw if @user is not activated

The access token is then stored in the session for later use.

Cheers,
Nico

1- Mobile App log into facebook and get the access token
authentication using an access_token: http://rubydoc.info/gems/**

Hi folks.

Devise+Omniauth.
Nicolas D.
https://developers.facebook.com/docs/howtos/login/server-
for my web app, setup by devise) and another one for the facebook
To post to this group, send email to rubyonra…@googlegroups.**com.
You received this message because you are subscribed to the Google G.

To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/PeIqXUKtSPAJ.

For more options, visit https://groups.google.com/groups/opt_out.


Nicolas D.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs