I have a Node.js server using PassportJS that uses social login via Google, Facebook, and Twitter.
The Node.js server hosts an API that uses the PassportJS middleware to authenticate routes and securely serve the data. The API exists to serve an iOS application which will be where the user "logs in" through Google, Facebook, Twitter and will subsequently create their account on my service.
How can I accomplish this when the mobile SDKs for the respective companies are for a direct communication between my client and their server? I essentially want a way for my client which talks to my server which talks to their server. Please let me know if the overall idea is incorrect as well.
I believe the right way to do it is to integrate the mobile app with social login, not your website.
Depending what technology you use in your app, you can find libraries to make it easier for you. On your app, it would be a native pop-up, or a simple app-redirect to Facebook app, or Google app or whatever to get the permissions and then a app-redirect back to your app.
You probably dont want a browser to pop out and redirect the user to facebook. A lot of users just use facebook app on their smartphones and they are not even logged-in facebook website in their smartphone's browser.
Once you get the permission and get the user's information, you can securely send those data to your server and store them for future use. You can associate those information with device ID, or generate a token and sent it back to the user's device and store it there for future authentications.
Related
I want to use express server with passport-facebook to authenticate facebook users. the client side is Unity3D application. I have no problem authenticating users if it was javascript client, since if the authentication was successful, it redirects to the index page. However, since I'm using Unity3D as client, I was wondering what will be the redirect function.
I haven't had a chance to implement this myself yet, but I was just reading about it.
You are gonna have to use the Facebook Unity SDK and login in the unity app. The SDK provides all the functionality you would expect. As for using the authentication in Express, you would be implementing somewhat of a Reverse OAuth Flow. I don't believe Facebook wants your app doing this, but once authenticated in Unity you could send the temporary access tokens to the Express API at which point you should be able to use the Node.js Facebook SDK.
I'm facing a problem related to oauth authentication using NodeJS. The main concern is how to connect all to my current architecture. Lets me explain it a little bit.
I have a Cloud API which is a REST API to serve and manage the data. I also have the web client developed in ReactJS (an SPA). My main goal is to allow social authentication without redirect or without to leave the page. For this, I'm using HelloJS and the oauth proxy in the same Cloud API.
Taking for example my Facebook App, the workflow is like:
The user clicks signup with Facebook
The oauth proxy serve as "handshake".
Facebook sends back the token to the web app.
At this point, this approach is working perfectly for me. My main concern is how do I send the token to the Cloud API for registration?, obviously I could add a middleware in the Cloud API to automatically register the user in the database, however I still need to invoke the authentication from the web client in order to exchange that token for a JWT token.
Yes, I'm using JWT for communication with the REST API. I would like to allow local registration and social registration (Facebook, Twitter, and so forth).
It seems odd to me to trust in the token received from the web app without ensure that it is real and not expired. I thought to check it with passportjs.
Advices or recomendations?
Thanks.
I use a web application developed by some company to manage my social information. This web application integrates various social sites (like twitter, facebook, google+) into one. Using this application I can send tweets, read emails, and create friend requests.
The web application uses OAuth 2.0 protocol to get access to my data in these social sites. After I login to this web application, I am redirected to twitter page, and then shown a page that says that the web application needs to be able to send tweets, etc, and ask for my approval. Once I approve, I can send tweets using this web application.
To send a tweet, I type the tweet, and then click a button in the web application. At the back, the web application sends a request to twitter using OAuth access token.
What I am worried here is that the web application may modify my tweet. Is there a way in OAuth 2.0 protocol to guarantee that the web application does not modify the tweet?
I posted the question to OAuth Google Groups. Nat Sakimura kindly answered the question. You can see the answer at https://groups.google.com/forum/#!topic/oauth/2OdlR40fZsI.
tl;dr: Is there any way to create a facebook login session with passportjs using existing access key?
I'm working on a product that is composed from a website , a mobile app and a nodejs server that serves both entities. registration is possible using facebook login from both mobile app and the website. Passportjs perfectly handles the facebook login procedure from the website, while keeping the users details in a mongodb server.
Login from the android app is implemented with the facebookSDK. Once the user is logged in , I file a request to our internal server with the access key and the facebook id in order to submit a request to facebook and authorize the user + request her details.
Right now, I'm using 2 different libraries to do that (passport for registration from the website and node-facebook to request the users details from an existing token) but that's an aweful waste and not very efficient.
Is it possible to harness passportjs to create a facebook session from an existing token+facebook id?
The passport-facebook-token strategy is designed to handle just this situation.
I am building a cross platform mobile application (using the Xamarian tools, MonoTouch / MonoDroid). I am trying to work through the authentication workflow and am running into a stumbling block. I have searched all over for a clear answer and have yet to find it.
Here is an overview of my current setup.
I have a web site built in nodejs.
I use passport.js to do oAuth login on the web site. This works great, users can login to my site using Twitter or Facebook.
Now I want to extend this same login functionality to my mobile clients.
I see 2 options
Embed the app id and app secret's in the mobile clients and make direct oAuth calls to FB or Twitter from the mobile app
Proxy the oAuth calls through my existing nodejs web server (keeping the secret keys on the server)
Option 2 appears to be the preferred way (as it avoids having to "ship" the secret in the mobile apps).
I have the proxy approach mostly working.
I open a WebView in my mobile client and point it at http://mysever/auth/twitter
This runs through my existing passport.js code and redirects the mobile WebView over to the Twitter login page.
The user then enters their creds on the twitter webpage on the device.
Twitter then calls my oAuth callback URL (which is my nodejs web server).
My server and Twitter handle the back a fourth handshake of obtaining the user profile information (As I understand it, this is the key to this approach, my server and twitter handle the handshake, the mobile client doesn't have to do anything or pass any tokens during this process)
Here is my problem:
It is this last step that stumps me. Once the handshake is complete on my server I have the user information I need on the server and need to send it back to the mobile client application
I can't figure out any way in the WebView control to grab the response object and grab a cookie, or header value (for instance) (this seems true for Android and iOS). I don't think it is platform specific. I think I am trying to do something that a WebView widget in mobile platforms just don't suport. It makes me think I am missing something obvious.
The only thing I have figured out is to have my web server "redirect" the mobile client browser to a fake URL that has the user info in the querystring. Something like myapp://info?userid=1234
Then in the mobile app I can hijack the URL loading and grab this url and get the data I need. I can then stash this userinfo, close the WebView control and move on to a native screen in my mobile application and user the userinfo in any subsequent REST calls to my nodejs server as a means of identifying the user.
This is massively kludgy for multiple reasons. The biggest of which is that the url is sent over the wire unencrypted and has all the data in plain text.
There has to be a better way to get the data from the web server back to the mobile client?
Or am I doing it all wrong?
The most straightforward way to implement oauth for Xamarin, both for iOS and Android, is using Xamarin.Auth. The starter documentation for the client is here. I think it should maintain everything securely and you will not have to worry about having to use your node server as a proxy.
You will need to provide your Application ID as part of the calls, but I don't there are too many or any security issues to worry about there.
I know this is going against what you already have implemented, but maybe this could help simplify things a bit.
This is the same dilemma that I have been dealing with.
This is how I currently deal with it.
In my app the client can come directly or via another service such as facebook which is my main one and hence the one which I have concentrated on.
Facebook can either redirect via a POST (desk apps) or a GET (mobile).
I check the initial request so see if has a service identifier - here is the facebook GET for example.
app.get('/', function(req, res) {
var paraUrl = URL.parse(req.url,true).query;
//The fb_source is shown -
//i need to go striaght to the facebook authorization since
//its coming from
//from a mobile device.
if (paraUrl.fb_source){
res.redirect('/auth/facebook'); //this is the passport part
return;
}
res.sendfile('index.html');
}
The facebook POST is slightly different in that you get an access token encode in base64url. The GET gives you a code which you can exchange for an access token but I had problems with it and just opted for tying into the passport system.
If a client comes direct I check for the session or a encrypted cookie which ties into the local strategy. This then checks the db for an access token which can used to access the facebook api for example.
If a client is unrecognised they are given the option to authenticate via facebook, google etc.
The main thing is that only 2 pieces of information are stored with the client, the passport session id and my app user id
connect.sid - encypted cookie
userId - encypted cookie
I would be interested to find out how other people are dealing with issue