Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
M
M
motomac2015-08-13 20:35:50
Facebook
motomac, 2015-08-13 20:35:50

How to properly organize authorization on the API server?

I am writing an API for a service whose clients will be mobile applications (my own + third-party). For my applications, I use the Resource Owner Password Credentials Grant from the official oAuth 2.0 documentation.
Those. a standard registration form is made in the application (enter email, password), then sent to the server (POST /users), where a user account is created. Next, an endpoint like /auth is sent:

grant_type=password
username=Mike
password=123
client_id=123
client_secret=123

client_id and client_secret do not conform to the oAuth specification, but they are required to identify the client.
If everything is correct, we return the token (in my case, JWT + refresh_token). refresh_token made eternal and I use it only to be able to manually revoke.
Here everything is relatively clear and corresponds well to the official oAuth specification.
Further, the task becomes more difficult. We need the ability for users to register through social networks. I organized the registration as follows: the native application requests access to personal information and receives a social network token, then sends it to the server (POST /users):
social_provider=facebook
social_token=ТОКЕН_ФЕЙСБУКА

Next, the server receives all the necessary information about the user from the social network using the provided token and creates an account. Does it make sense to keep this Facebook token?
And now we need to somehow implement the issuance of our API token for such users registered through social networks. It is clear that such accounts do not have passwords, and using the Resource Owner Password Credentials Grant in its pure form will not work. How to be? Thoughts are spinning towards sending a Facebook token as a password. Based on it, the server will recognize the user's facebook_id and will be able to check if such a user exists in the database. And, accordingly, issue your token.
grant_type=password
username=facebook_user
password=ТОКЕН_ФЕЙСБУКА
client_id=123
client_secret=123

Tell me, are there any better ways, or some flaws in such a scheme?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
M
Mikhail Lunacharsky2017-11-12 01:21:56
Is it possible to somehow cleverly remove yourself on Facebook from someone else's blacklist? 2Reply
B
bernaud2017-11-14 23:25:29
facebook api. Is it possible to download video from youtube link? 1Reply
@
@eashla2017-11-22 05:33:21
How to target on Facebook by interests for a certain period? 0Reply
V
Vlad2017-11-30 02:49:01
Why are there no comments from Facebook in the "Comment Moderation Tool"? 1Reply
A
Alexey Polyakov2017-12-03 07:18:27
How does the api for vkontake, facebook and instagram work? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question