I have a mobile application (HTML 5, JavaScript) and a Restful service (Java, Jersey) to cater the mobile application.
Mobile application sign in is handled via a Facebook (Sign in using Facebook account). And currently there is no any security mechanism integrated for the Restful service
So my question is, can I authorize users on the Restful service via the access token retrieved from Facebook, to the mobile application ? To further clarify, if someone has logged into the mobile he/she should be authorized to make requests to the Restful service.
Thanks in advance
Asanka
If the user has authenticated with Facebook and you have the access token with you, you can get the user's facebook profile's public information.
You've got to hit this link - https://graph.facebook.com/me with the access token.
Go ahead, click on the link and see what happens. When you pass a valid access token, profile info will be returned as a JSON object.
(if you FB profile page is = facebook.com/yourname, then just try https://graph.facebook.com/yourname -> you'll be able to see what the data returned looks like.
Now, with the user data returned you can keep an entry in your DB if the user is registered or not, for first time users you can register them.
PS - https://graph.facebook.com/yourname actually returns someone's profile info! I didn't know anyone could keep their profile handle as yourname!!!
PPS - I just checked facebook.com/yourname -> Guess who uses this handle! It's the brazilian defender Roberto Carlos!
Related
I have an application which is composed by a javascript frontend, and a Java backend deployed in Tomcat.
The communication between frontend and backend is all via REST. I am using Jersey for this.
I followed the official documentation to add Google sign-in in my application:
https://developers.google.com/identity/sign-in/web/
and successfully managed to authenticate with the backend:
GoogleIdToken idToken = verifier.verify(idTokenString);
if (idToken != null) {...
The question is: how do I have to proceed now? Following the documentation here
https://developers.google.com/identity/protocols/OpenIDConnect#authenticatingtheuser
it says
After obtaining user information from the ID token, you should query
your app's user database. If the user already exists in your database,
you should start an application session for that user. ...
Should I just start a normal java webapp session? (with the only difference that I got the user credentials from Google instead of directly from my frontend).
If yes, how do I start the application session?
If not, what do I have to do?
I am completely lost here. Please help.
My above question was oriented. Once authenticated with Google, you have to do the exact same thing as what you would do after having checked the email/password: create a session with the username.
I think this just means that you should "cache" the authentication information in some way and not re-authenticate against the backend with every request.
This is just one implementation to trade a google provided token into a token known to your rest-api (where the token could be the session id in case of a clustered session backend).
I read online and understand how to use the FB connect and how to create an app that uses the fb login. What I want to know is whether it is possible to manipulate the data between the authentication.
So here's what I am confuse about. So we have
FB server
my application
my server.
So when I open my application, my application will ask for fb login and pw, we send those info to FB server. The FB server then give my application a token, then my application will send the token to my server, then my server will verify with FB server? Is this how it works?
If that's the way it works why there's no hacking in FB login, can't people make fake tokens?
By your question , even a set of "fake" credentials for all purposes of you app will be a vaid login ( because the user exists on facebook) . Facebook is essentially authenticating that the person is a valid person. A person cannot make a fake facebook token because it is signed
Facebook uses OAuth 2.0, which is a current standard for open authorization. This is a short description from wikipedia:
OAuth provides client applications a 'secure delegated access' to
server resources on behalf of a resource owner. It specifies a process
for resource owners to authorize third-party access to their server
resources without sharing their credentials. Designed specifically to
work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows
access tokens to be issued to third-party clients by an authorization
server, with the approval of the resource owner, or end-user. The
client then uses the access token to access the protected resources
hosted by the resource server.[1] OAuth is commonly used as a way for
web surfers to log into third party web sites using their Google,
Facebook or Twitter passwords, without worrying about their access
credentials being compromised.
You can read the RFC specification for more details: https://www.rfc-editor.org/rfc/rfc6749
You can also read information about the different integrations: http://oauth.net/2/
You cannot create a fake token. The user receives a token after typing his username and passwords, which means stealing his token is equivalent to stealing his credentials, as the token is randomly generated.
I will explain the flow shortly:
I'm an user, using in general facebook and your application. I log in facebook and reach your application in facebook or via external link and click on it. Then facebook will ask me if I want to share my personal information with your application (this is because I am logged in. If I were not, then it would ask me for my username and password). If I agree, facebook will send an access token to your application and with it you will access of my personal information. Thus this access will be highly restricted and you won't be able to do anything harmful and as well it will expire after a couple of time, depending on the implementation, but should be around one hour.
I have developed many stateless RESTful webservices for a mobile application in Java and they are working very well.
For example:
http://.../api/coupon
http://.../api/coupon/{id}
...
Now, I have to extend these services because I have to send different data back to the mobile for every user. So I need to know on the server side which user try to get or set information. And I have to prevent the serve of unauthorized users.
There are two different way how user can login into the mobile application:
log in with facebook account
log in with an application account
I need to develop two login and a logout services because the users who use the mobile application have to login into the application.
I read lots of article about auth and RESTful and OAuth.
I think I have to develop two login services with two imput parameters: username and password.
For example:
localLogin(String username, String password) -> token
facebookLogin(String username, String password) -> token
These logon services have to generate a same token and send it back to the mobile application in the http header. And after the login process the mobile client has a token. And the client has to send this token to the server when it makes a RESTful server call.
What do you think? Is my idea good?
If it is, could you help me how can I start to develop this in Java?
If it is not, could you tell me the good way?
You do not need 2 log in procedures. Just use the Facebook SDK!!
i) In your app would be a login with facebook button.
ii) User clicks on it and is then redirected to the facebook login page, where the user enters his credentials and facebook returns a token to you. You do not have to worry about the user's facebook credentials or storing them anywhere! Facebook will handle that for you. Consider the FB login part as black box to your app - you simply make a FB SDK's login call and it will do some processes and give back a access token to your app.
iii) Now, you can exchange the access token for the user's profile information. Enter this profile info to your database - that will ensure authenticated call.
Once you have verified that the user is logged on you can do whatever you want.
I've developed a Chrome Web Store app using Google App Engine. I'd like to follow these instructions: http://code.google.com/chrome/webstore/docs/identify_user.html#realm
But I need to call User::getFederatedIdentity() so that I can call the Chrome Web Store licensing server and find out if the user has purchased my app.
The trouble with that is, in order for UserService::getCurrentUser() to work, the user needs to be logged in.
The trouble with that is, when I call UserService::createLoginURL() to generate a redirect URL, the redirect URL takes the user to... the OpenID approval screen. This happens even though I've set the App's OpenID realm, as per the instructions in the page linked above.
Is there a way for me to do what I want but still use the User and UserService classes?
(Possibly a legit alternate phrasing for this entire question: using Google App Engine's UserService class, is there a way to request permission from the user to access their federated identiy, without also requesting permission to access their email address?)
Thanks in advance!
Please reread how to skip the OpenID approval screen. Have you set the realm? And are you asking for any information other than the URL? If you request the user's email address (or other information), then it is necessary to inform the user and obtain their permission to grant access to that information.
I have created a java web application using spring. I want the users of my application can be logged automatically into my application when they are logged into facebook. Any help will be highly appreciated.
It depends of your app. BTW, facebook have good documentation about this, you have to use javascript auth (there are many examples), with manually processing result or using facebook-java-api (look at FacebookSignatureUtil for example).
PS you have to register your webapp at facebook before using facebook connect
I don't think it is possible for you to get user to automatically logged into your app. Facebook stores the log in token in a cookie, this cookie will get passed back to same server, not to your server.
The click, will send request to facebook and you will get authentication token from facebook.
In fact, it is possible for facebook login button to log you into site even if user is logged out of facebook. You need to ask for "offline_access" permission.