Hi folks. I''m building a rails app that provides an api for a mobile app. The mobile app requires the user to login through his facebook account. My question is about who should be responsible for requesting the login. The mobile app or the rails app. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
Nicolas Desprès
2013-Jan-17 08:53 UTC
Re: Facebook login on mobile app through a rails app
On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP <vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hi folks. >Hi,> > I''m building a rails app that provides an api for a mobile app. > > I have the same setup.> The mobile app requires the user to login through his facebook account. > > My question is about who should be responsible for requesting the login. > > The mobile app or the rails app. >So far, the mobile app login using the Facebook SDK and use that information to log into the Rails app. The Rails server uses Devise+Omniauth.> Right now I am not really happy with this since I can''t figure out how theRails app can use the login information retrieved via the mobile app to interact with the Facebook platform. I will write more as soon as I have further information. Regards, -- Nicolas Desprès -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Ignacio Piantanida
2013-Jan-17 18:35 UTC
Re: Facebook login on mobile app through a rails app
2013/1/17 Nicolas Desprès <nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>> > > On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP <vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > >> Hi folks. >> > > Hi, > > >> >> I''m building a rails app that provides an api for a mobile app. >> >> I have the same setup. > > >> The mobile app requires the user to login through his facebook account. >> >> My question is about who should be responsible for requesting the login. >> >> The mobile app or the rails app. >> > So far, the mobile app login using the Facebook SDK and use that > information to log into the Rails app. The Rails server uses > Devise+Omniauth. > >> Right now I am not really happy with this since I can''t figure out how > the Rails app can use the login information retrieved via the mobile app to > interact with the Facebook platform. > > I will write more as soon as I have further information. > > Regards, > > -- > Nicolas Desprès > > >The mobile app should do the login process. It then should send to the server the "access token" given by Facebook. With this token you are able to identify your user through the "graph api". Ignacio Piantanida -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Nicolas Desprès
2013-Jan-21 10:41 UTC
Re: Facebook login on mobile app through a rails app
On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida <napoplate-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:> 2013/1/17 Nicolas Desprès <nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > >> >> >> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP <vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> >>> Hi folks. >>> >> >> Hi, >> >> >>> >>> I''m building a rails app that provides an api for a mobile app. >>> >>> I have the same setup. >> >> >>> The mobile app requires the user to login through his facebook account. >>> >>> My question is about who should be responsible for requesting the login. >>> >>> The mobile app or the rails app. >>> >> So far, the mobile app login using the Facebook SDK and use that >> information to log into the Rails app. The Rails server uses >> Devise+Omniauth. >> >>> Right now I am not really happy with this since I can''t figure out how >> the Rails app can use the login information retrieved via the mobile app to >> interact with the Facebook platform. >> >> I will write more as soon as I have further information. >> >> Regards, >> >> -- >> Nicolas Desprès >> >> >> > The mobile app should do the login process. It then should send to the > server the "access token" given by Facebook. > With this token you are able to identify your user through the "graph api". >Well this is point where I am stuck. As describe here : https://developers.facebook.com/docs/howtos/login/server-side-login/ I understand how works the server-side authentication process and it works well using a web browser. What I don''t really understand are the steps the mobile app has to do. Does it have to follow all the redirection ? That could imply to write a lot of code on the mobile app side. It does not look like just a couple of GET and POST to send. -- Nicolas Desprès -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Nicolas Desprès
2013-Jan-21 11:10 UTC
Re: Facebook login on mobile app through a rails app
On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès <nicolas.despres@gmail.com> wrote:> > > On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida <napoplate-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote: > >> 2013/1/17 Nicolas Desprès <nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >> >>> >>> >>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP <vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >>> >>>> Hi folks. >>>> >>> >>> Hi, >>> >>> >>>> >>>> I''m building a rails app that provides an api for a mobile app. >>>> >>>> I have the same setup. >>> >>> >>>> The mobile app requires the user to login through his facebook account. >>>> >>>> My question is about who should be responsible for requesting the login. >>>> >>>> The mobile app or the rails app. >>>> >>> So far, the mobile app login using the Facebook SDK and use that >>> information to log into the Rails app. The Rails server uses >>> Devise+Omniauth. >>> >>>> Right now I am not really happy with this since I can''t figure out how >>> the Rails app can use the login information retrieved via the mobile app to >>> interact with the Facebook platform. >>> >>> I will write more as soon as I have further information. >>> >>> Regards, >>> >>> -- >>> Nicolas Desprès >>> >>> >>> >> The mobile app should do the login process. It then should send to the >> server the "access token" given by Facebook. >> With this token you are able to identify your user through the "graph >> api". >> > > Well this is point where I am stuck. As describe here : > https://developers.facebook.com/docs/howtos/login/server-side-login/ I > understand how works the server-side authentication process and it works > well using a web browser. What I don''t really understand are the steps the > mobile app has to do. Does it have to follow all the redirection ? That > could imply to write a lot of code on the mobile app side. It does not look > like just a couple of GET and POST to send. > >To be clearer I don''t understand how do you send the access token from the mobile app to the server. Currently I have two entry points in my JSON API to authenticate. One for the custom authentication (using the account for my web app, setup by devise) and another one for the facebook authentication through the server-side flow (provided by omniauth). Should I add another entry point to pass the access token ? It looks like a security hole to me. -- Nicolas Desprès -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Thanks for all the answers, folks. I come to think that the flow to make this work would be the following: 1- Mobile App log into facebook and get the access token 2- Mobile App log into the web application with whatever method it''s been used for authentication passing along the access_token it got from facebook 3- Once logged in successfully, the rails app uses the mobile''s access_token to interact with facebook Is it right? 2013/1/21 Nicolas Desprès <nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>> > > On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès < > nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > >> >> >> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida <napoplate-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote: >> >>> 2013/1/17 Nicolas Desprès <nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>> >>>> >>>> >>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP <vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >>>> >>>>> Hi folks. >>>>> >>>> >>>> Hi, >>>> >>>> >>>>> >>>>> I''m building a rails app that provides an api for a mobile app. >>>>> >>>>> I have the same setup. >>>> >>>> >>>>> The mobile app requires the user to login through his facebook account. >>>>> >>>>> My question is about who should be responsible for requesting the >>>>> login. >>>>> >>>>> The mobile app or the rails app. >>>>> >>>> So far, the mobile app login using the Facebook SDK and use that >>>> information to log into the Rails app. The Rails server uses >>>> Devise+Omniauth. >>>> >>>>> Right now I am not really happy with this since I can''t figure out how >>>> the Rails app can use the login information retrieved via the mobile app to >>>> interact with the Facebook platform. >>>> >>>> I will write more as soon as I have further information. >>>> >>>> Regards, >>>> >>>> -- >>>> Nicolas Desprès >>>> >>>> >>>> >>> The mobile app should do the login process. It then should send to the >>> server the "access token" given by Facebook. >>> With this token you are able to identify your user through the "graph >>> api". >>> >> >> Well this is point where I am stuck. As describe here : >> https://developers.facebook.com/docs/howtos/login/server-side-login/ I >> understand how works the server-side authentication process and it works >> well using a web browser. What I don''t really understand are the steps the >> mobile app has to do. Does it have to follow all the redirection ? That >> could imply to write a lot of code on the mobile app side. It does not look >> like just a couple of GET and POST to send. >> >> > To be clearer I don''t understand how do you send the access token from the > mobile app to the server. Currently I have two entry points in my JSON API > to authenticate. One for the custom authentication (using the account for > my web app, setup by devise) and another one for the facebook > authentication through the server-side flow (provided by omniauth). Should > I add another entry point to pass the access token ? It looks like a > security hole to me. > > -- > Nicolas Desprès > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > For more options, visit https://groups.google.com/groups/opt_out. > > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Nicolas Desprès
2013-Jan-21 14:09 UTC
Re: Facebook login on mobile app through a rails app
On Mon, Jan 21, 2013 at 2:31 PM, Vitor HP <vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Thanks for all the answers, folks. > > I come to think that the flow to make this work would be the following: > > 1- Mobile App log into facebook and get the access token > 2- Mobile App log into the web application with whatever method it''s been > used for authentication passing along the access_token it got from facebook > 3- Once logged in successfully, the rails app uses the mobile''s > access_token to interact with facebook > > Is it right? >Yes. I also think this is the way to go. Apparently OAuth2 can do the authentication using an access_token: http://rubydoc.info/gems/oauth2/0.8.0/frames I am trying to get this work with omniauth and devise. 2013/1/21 Nicolas Desprès <nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>> > > On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès < > nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > >> >> >> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida <napoplate-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote: >> >>> 2013/1/17 Nicolas Desprès <nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>> >>>> >>>> >>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP <vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >>>> >>>>> Hi folks. >>>>> >>>> >>>> Hi, >>>> >>>> >>>>> >>>>> I''m building a rails app that provides an api for a mobile app. >>>>> >>>>> I have the same setup. >>>> >>>> >>>>> The mobile app requires the user to login through his facebook account. >>>>> >>>>> My question is about who should be responsible for requesting the >>>>> login. >>>>> >>>>> The mobile app or the rails app. >>>>> >>>> So far, the mobile app login using the Facebook SDK and use that >>>> information to log into the Rails app. The Rails server uses >>>> Devise+Omniauth. >>>> >>>>> Right now I am not really happy with this since I can''t figure out how >>>> the Rails app can use the login information retrieved via the mobile app to >>>> interact with the Facebook platform. >>>> >>>> I will write more as soon as I have further information. >>>> >>>> Regards, >>>> >>>> -- >>>> Nicolas Desprès >>>> >>>> >>>> >>> The mobile app should do the login process. It then should send to the >>> server the "access token" given by Facebook. >>> With this token you are able to identify your user through the "graph >>> api". >>> >> >> Well this is point where I am stuck. As describe here : >> https://developers.facebook.com/docs/howtos/login/server-side-login/ I >> understand how works the server-side authentication process and it works >> well using a web browser. What I don''t really understand are the steps the >> mobile app has to do. Does it have to follow all the redirection ? That >> could imply to write a lot of code on the mobile app side. It does not look >> like just a couple of GET and POST to send. >> >> > To be clearer I don''t understand how do you send the access token from the > mobile app to the server. Currently I have two entry points in my JSON API > to authenticate. One for the custom authentication (using the account for > my web app, setup by devise) and another one for the facebook > authentication through the server-side flow (provided by omniauth). Should > I add another entry point to pass the access token ? It looks like a > security hole to me. > > -- > Nicolas Desprès > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > For more options, visit https://groups.google.com/groups/opt_out. > > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out. -- Nicolas Desprès -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
john-sGtEzQP6IMqgSpxsJD1C4w@public.gmane.org
2013-Jan-26 18:33 UTC
Re: Facebook login on mobile app through a rails app
I am interested in doing this as well. My setup is the same. On ''sign up with facebook'', do you create a devise user and password in the rails api? What would the password be? or can devise be set to handle the two scenarios? I was thinking storing the oauth token as the password, but not sure if that is secure or makes sense. Currently I have api calls for setting up a devise user or logging in with a devise email and password, and the token for subsequent calls by that user. What would be the api enpoints that I need to create to allow both facebook signup and traditional signup? On Monday, January 21, 2013 9:09:03 AM UTC-5, Nicolas Desprès wrote:> > > > On Mon, Jan 21, 2013 at 2:31 PM, Vitor HP <vito...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <javascript:> > > wrote: > >> Thanks for all the answers, folks. >> >> I come to think that the flow to make this work would be the following: >> >> 1- Mobile App log into facebook and get the access token >> 2- Mobile App log into the web application with whatever method it''s been >> used for authentication passing along the access_token it got from facebook >> 3- Once logged in successfully, the rails app uses the mobile''s >> access_token to interact with facebook >> >> Is it right? >> > > Yes. I also think this is the way to go. Apparently OAuth2 can do the > authentication using an access_token: > http://rubydoc.info/gems/oauth2/0.8.0/frames > I am trying to get this work with omniauth and devise. > > > > 2013/1/21 Nicolas Desprès <nicolas...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <javascript:>> > >> >> >> On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès <nicolas...-Re5JQEeQqe8@public.gmane.orgm<javascript:> >> > wrote: >> >>> >>> >>> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida <napo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org<javascript:> >>> > wrote: >>> >>>> 2013/1/17 Nicolas Desprès <nicolas...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <javascript:>> >>>> >>>>> >>>>> >>>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP <vito...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org<javascript:> >>>>> > wrote: >>>>> >>>>>> Hi folks. >>>>>> >>>>> >>>>> Hi, >>>>> >>>>> >>>>>> >>>>>> I''m building a rails app that provides an api for a mobile app. >>>>>> >>>>>> I have the same setup. >>>>> >>>>> >>>>>> The mobile app requires the user to login through his facebook >>>>>> account. >>>>>> >>>>>> My question is about who should be responsible for requesting the >>>>>> login. >>>>>> >>>>>> The mobile app or the rails app. >>>>>> >>>>> So far, the mobile app login using the Facebook SDK and use that >>>>> information to log into the Rails app. The Rails server uses >>>>> Devise+Omniauth. >>>>> >>>>>> Right now I am not really happy with this since I can''t figure out >>>>> how the Rails app can use the login information retrieved via the mobile >>>>> app to interact with the Facebook platform. >>>>> >>>>> I will write more as soon as I have further information. >>>>> >>>>> Regards, >>>>> >>>>> -- >>>>> Nicolas Desprès >>>>> >>>>> >>>>> >>>> The mobile app should do the login process. It then should send to the >>>> server the "access token" given by Facebook. >>>> With this token you are able to identify your user through the "graph >>>> api". >>>> >>> >>> Well this is point where I am stuck. As describe here : >>> https://developers.facebook.com/docs/howtos/login/server-side-login/ I >>> understand how works the server-side authentication process and it works >>> well using a web browser. What I don''t really understand are the steps the >>> mobile app has to do. Does it have to follow all the redirection ? That >>> could imply to write a lot of code on the mobile app side. It does not look >>> like just a couple of GET and POST to send. >>> >>> >> To be clearer I don''t understand how do you send the access token from >> the mobile app to the server. Currently I have two entry points in my JSON >> API to authenticate. One for the custom authentication (using the account >> for my web app, setup by devise) and another one for the facebook >> authentication through the server-side flow (provided by omniauth). Should >> I add another entry point to pass the access token ? It looks like a >> security hole to me. >> >> -- >> Nicolas Desprès >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Talk" group. >> To post to this group, send email to rubyonra...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<javascript:> >> . >> To unsubscribe from this group, send email to >> rubyonrails-ta...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org <javascript:>. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonra...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<javascript:> > . > To unsubscribe from this group, send email to > rubyonrails-ta...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org <javascript:>. > For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > Nicolas Desprès >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/PeIqXUKtSPAJ. For more options, visit https://groups.google.com/groups/opt_out.
Nicolas Desprès
2013-Jan-28 10:20 UTC
Re: Facebook login on mobile app through a rails app
On Mon, Jan 21, 2013 at 12:10 PM, Nicolas Desprès <nicolas.despres@gmail.com> wrote:> > > On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès < > nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > >> >> >> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida <napoplate-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote: >> >>> 2013/1/17 Nicolas Desprès <nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>> >>>> >>>> >>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP <vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >>>> >>>>> Hi folks. >>>>> >>>> >>>> Hi, >>>> >>>> >>>>> >>>>> I''m building a rails app that provides an api for a mobile app. >>>>> >>>>> I have the same setup. >>>> >>>> >>>>> The mobile app requires the user to login through his facebook account. >>>>> >>>>> My question is about who should be responsible for requesting the >>>>> login. >>>>> >>>>> The mobile app or the rails app. >>>>> >>>> So far, the mobile app login using the Facebook SDK and use that >>>> information to log into the Rails app. The Rails server uses >>>> Devise+Omniauth. >>>> >>>>> Right now I am not really happy with this since I can''t figure out how >>>> the Rails app can use the login information retrieved via the mobile app to >>>> interact with the Facebook platform. >>>> >>>> I will write more as soon as I have further information. >>>> >>>> Regards, >>>> >>>> -- >>>> Nicolas Desprès >>>> >>>> >>>> >>> The mobile app should do the login process. It then should send to the >>> server the "access token" given by Facebook. >>> With this token you are able to identify your user through the "graph >>> api". >>> >> >> Well this is point where I am stuck. As describe here : >> https://developers.facebook.com/docs/howtos/login/server-side-login/ I >> understand how works the server-side authentication process and it works >> well using a web browser. What I don''t really understand are the steps the >> mobile app has to do. Does it have to follow all the redirection ? That >> could imply to write a lot of code on the mobile app side. It does not look >> like just a couple of GET and POST to send. >> >> > To be clearer I don''t understand how do you send the access token from the > mobile app to the server. Currently I have two entry points in my JSON API > to authenticate. One for the custom authentication (using the account for > my web app, setup by devise) and another one for the facebook > authentication through the server-side flow (provided by omniauth). Should > I add another entry point to pass the access token ? It looks like a > security hole to me. > > Finally, I got it right and there is no security hole to pass the accesstoken. It should be done via https, though. -- Nicolas Desprès -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Nicolas Desprès
2013-Jan-28 13:01 UTC
Re: Facebook login on mobile app through a rails app
On Sat, Jan 26, 2013 at 7:33 PM, <john-sGtEzQP6IMqgSpxsJD1C4w@public.gmane.org> wrote:> I am interested in doing this as well. My setup is the same. > > On ''sign up with facebook'', do you create a devise user and password in > the rails api? What would the password be? or can devise be set to handle > the two scenarios? > > I was thinking storing the oauth token as the password, but not sure if > that is secure or makes sense. > > Currently I have api calls for setting up a devise user or logging in with > a devise email and password, and the token for subsequent calls by that > user. > > > What would be the api enpoints that I need to create to allow both > facebook signup and traditional signup? >For traditional sign up I use the json route set up by Devise. For facebook sign up, I added my own json route which: 1/ take the facebook access token as parameter 2/ check it is valid by fetching user info from Facebook like this: client = OAuth2::Client.new( ENV[''FACEBOOK_APP_ID''], ENV[''FACEBOOK_APP_SECRET''], site: ''https://graph.facebook.com'') token = OAuth2::AccessToken.new(client, params[:access_token]) user_info = ActiveSupport::JSON.decode(token.get(''/me'').body) (the user info are used to create the entry in the DB) 3/ sign in using Devise method: sign_in @user, :event => :authentication #this will throw if @user is not activated The access token is then stored in the session for later use. Cheers, Nico> On Monday, January 21, 2013 9:09:03 AM UTC-5, Nicolas Desprès wrote: >> >> >> >> On Mon, Jan 21, 2013 at 2:31 PM, Vitor HP <vito...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> >>> Thanks for all the answers, folks. >>> >>> I come to think that the flow to make this work would be the following: >>> >>> 1- Mobile App log into facebook and get the access token >>> 2- Mobile App log into the web application with whatever method it''s >>> been used for authentication passing along the access_token it got from >>> facebook >>> 3- Once logged in successfully, the rails app uses the mobile''s >>> access_token to interact with facebook >>> >>> Is it right? >>> >> >> Yes. I also think this is the way to go. Apparently OAuth2 can do the >> authentication using an access_token: http://rubydoc.info/gems/** >> oauth2/0.8.0/frames <http://rubydoc.info/gems/oauth2/0.8.0/frames> >> I am trying to get this work with omniauth and devise. >> >> >> >> 2013/1/21 Nicolas Desprès <nicolas...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >> >>> >>> >>> On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès <nicolas...@gmail.com>wrote: >>> >>>> >>>> >>>> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida <napo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote: >>>> >>>>> 2013/1/17 Nicolas Desprès <nicolas...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>>>> >>>>> >>>>>> >>>>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP <vito...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >>>>>> >>>>>>> Hi folks. >>>>>>> >>>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>>> >>>>>>> I''m building a rails app that provides an api for a mobile app. >>>>>>> >>>>>>> I have the same setup. >>>>>> >>>>>> >>>>>>> The mobile app requires the user to login through his facebook >>>>>>> account. >>>>>>> >>>>>>> My question is about who should be responsible for requesting the >>>>>>> login. >>>>>>> >>>>>>> The mobile app or the rails app. >>>>>>> >>>>>> So far, the mobile app login using the Facebook SDK and use that >>>>>> information to log into the Rails app. The Rails server uses >>>>>> Devise+Omniauth. >>>>>> >>>>>>> Right now I am not really happy with this since I can''t figure out >>>>>> how the Rails app can use the login information retrieved via the mobile >>>>>> app to interact with the Facebook platform. >>>>>> >>>>>> I will write more as soon as I have further information. >>>>>> >>>>>> Regards, >>>>>> >>>>>> -- >>>>>> Nicolas Desprès >>>>>> >>>>>> >>>>>> >>>>> The mobile app should do the login process. It then should send to the >>>>> server the "access token" given by Facebook. >>>>> With this token you are able to identify your user through the "graph >>>>> api". >>>>> >>>> >>>> Well this is point where I am stuck. As describe here : >>>> https://developers.facebook.**com/docs/howtos/login/server-** >>>> side-login/<https://developers.facebook.com/docs/howtos/login/server-side-login/>I understand how works the server-side authentication process and it works >>>> well using a web browser. What I don''t really understand are the steps the >>>> mobile app has to do. Does it have to follow all the redirection ? That >>>> could imply to write a lot of code on the mobile app side. It does not look >>>> like just a couple of GET and POST to send. >>>> >>>> >>> To be clearer I don''t understand how do you send the access token from >>> the mobile app to the server. Currently I have two entry points in my JSON >>> API to authenticate. One for the custom authentication (using the account >>> for my web app, setup by devise) and another one for the facebook >>> authentication through the server-side flow (provided by omniauth). Should >>> I add another entry point to pass the access token ? It looks like a >>> security hole to me. >>> >>> -- >>> Nicolas Desprès >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ruby on Rails: Talk" group. >>> To post to this group, send email to rubyonra...@googlegroups.**com. >>> To unsubscribe from this group, send email to rubyonrails-ta...@** >>> googlegroups.com. >>> >>> For more options, visit https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> . >>> >>> >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Talk" group. >> To post to this group, send email to rubyonra...@googlegroups.**com. >> To unsubscribe from this group, send email to rubyonrails-ta...@** >> googlegroups.com. >> >> For more options, visit https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >> . >> >> >> >> >> >> -- >> Nicolas Desprès >> > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-talk/-/PeIqXUKtSPAJ. > > For more options, visit https://groups.google.com/groups/opt_out. > > >-- Nicolas Desprès -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.