I want to use express server with passport-facebook to authenticate facebook users. the client side is Unity3D application. I have no problem authenticating users if it was javascript client, since if the authentication was successful, it redirects to the index page. However, since I'm using Unity3D as client, I was wondering what will be the redirect function.
I haven't had a chance to implement this myself yet, but I was just reading about it.
You are gonna have to use the Facebook Unity SDK and login in the unity app. The SDK provides all the functionality you would expect. As for using the authentication in Express, you would be implementing somewhat of a Reverse OAuth Flow. I don't believe Facebook wants your app doing this, but once authenticated in Unity you could send the temporary access tokens to the Express API at which point you should be able to use the Node.js Facebook SDK.
Related
I have one question about firebase auth. I have a nodejs server api and a react web client application and i want to implement auth with server-side session cookie management.
I've been following the Firebase documentation and saw that they advise implementing client-side authentication and my question is why this should be the case?
I want to handle all the server side authentication and abstract that logic from the client. The client sends email and password and then on the server authenticates with the firebase SDK library and then exchanges it for a session cookie.
Is there any negative point that I am not seeing to do it like this? What are your recommendations on this?
Thanks!!
Doing this with the Node.js client-side SDK on a server, is similar to calling the REST APIs. It can definitely work, but you're going to be missing out on a lot of functionality of the SDKs, such as automatic caching of tokens and credentials, and automatic refreshing of ID tokens. But if that's what you want, it is possible. After all, that's precisely what the Firebase SDK also does.
I am working on a website and I need a facebook login system for users. Since I am working with NodeJs I found the passport module for authentication. I also know that facebook provides their own javscript sdk to simply login users directly from the client side.
My question is: what is the difference between these two ways of authenticating users? (using the facebook js sdk on the client side and using passport facebook strategy on the server-side)
I'm facing a problem related to oauth authentication using NodeJS. The main concern is how to connect all to my current architecture. Lets me explain it a little bit.
I have a Cloud API which is a REST API to serve and manage the data. I also have the web client developed in ReactJS (an SPA). My main goal is to allow social authentication without redirect or without to leave the page. For this, I'm using HelloJS and the oauth proxy in the same Cloud API.
Taking for example my Facebook App, the workflow is like:
The user clicks signup with Facebook
The oauth proxy serve as "handshake".
Facebook sends back the token to the web app.
At this point, this approach is working perfectly for me. My main concern is how do I send the token to the Cloud API for registration?, obviously I could add a middleware in the Cloud API to automatically register the user in the database, however I still need to invoke the authentication from the web client in order to exchange that token for a JWT token.
Yes, I'm using JWT for communication with the REST API. I would like to allow local registration and social registration (Facebook, Twitter, and so forth).
It seems odd to me to trust in the token received from the web app without ensure that it is real and not expired. I thought to check it with passportjs.
Advices or recomendations?
Thanks.
I am building a ember cli app and I would like to know what is the best approach for user authentication and authorization.
I fiddled around with https://github.com/simplabs/ember-simple-auth
https://github.com/simplabs/ember-simple-auth/tree/master/packages/ember-simple-auth-torii
along with it for social auth like facebook and gmail.
But what happens is client(emberjs) sends request to facebook/gmail app and gets back a token.
But this token is on the client side and my server does not know about the received token.
Question - How do I make the server aware of the token received on the client(ember js) ?
What should be the approach if on my ember app I want to include custom login that communicates with my node backend and gets a token and as well as I want to be able to login via facebook/gmial. ?
I am looking for a unified and seamless login solution that works well with ember cli
See this question: Workflow for Ember-simple-auth, Torii and Facebook Oauth2
You simply define a custom authenticator (you could also override the torii authenticator as opposed to the OAuth 2.0 authenticator as in the answer) that first gets the token from torii and then posts it to your own server in the authenticate method.
I built an AngularJS application calling some REST API's belonging to my own backend (using Play! 2.2).
I'm using Facebook OAuth client in order to authenticate my users.
As being a Javascript App, my Facebook App Token cannot be "hidden".
Thus, anybody who picked up the Facebook App Token, by just reading the Javascript code could grab a user access token in a "legally" way and therefore use my REST API's.
How could I prevent it?
What is the best practice?
One way would be, I think, to use the server side Facebook's OAuth mechanism, rather than the Facebook Javascript SDK.
In this case, the Facebook app secret would be stored on my server and unreachable from the outside.
But as being a Single Page Application on client-side, I really want to avoid page redirection and benefit of the "popup" feature that comes with Facebook Javascript SDK.
There are a couple of things you can do.
Using the server side ("code") OAuth flow for facebook auth is much more secure. You can still avoid redirects by opening your own popup to initiate the login sequence, similar to what the Facebook JS does (only it goes to your server first).
Enabling HTTPS on your application is usually a good practice...
And if you're worried about cross site forgeries you can implement something like an anti forgery state token. See http://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/ and also google's instructions here https://developers.google.com/accounts/docs/OAuth2Login#createxsrftoken .