Rails - Jan 2013 - Facebook login on mobile app through a rails app

Hi folks.

I''m building a rails app that provides an api for a mobile app.

The mobile app requires the user to login through his facebook account.

My question is about who should be responsible for requesting the login.

The mobile app or the rails app.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.

On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP
<vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Hi folks.
>
Hi,

>
> I''m building a rails app that provides an api for a mobile app.
>
> I have the same setup.
> The mobile app requires the user to login through his facebook account.
>
> My question is about who should be responsible for requesting the login.
>
> The mobile app or the rails app.
>
So far, the mobile app login using the Facebook SDK and use that
information to log into the Rails app. The Rails server uses
Devise+Omniauth.
> Right now I am not really happy with this since I can''t figure out
how the
Rails app can use the login information retrieved via the mobile app to
interact with the Facebook platform.

I will write more as soon as I have further information.

Regards,

-- 
Nicolas Desprès

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

2013/1/17 Nicolas Desprès
<nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
>
> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP
<vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>> Hi folks.
>>
>
> Hi,
>
>
>>
>> I''m building a rails app that provides an api for a mobile
app.
>>
>> I have the same setup.
>
>
>> The mobile app requires the user to login through his facebook account.
>>
>> My question is about who should be responsible for requesting the
login.
>>
>> The mobile app or the rails app.
>>
> So far, the mobile app login using the Facebook SDK and use that
> information to log into the Rails app. The Rails server uses
> Devise+Omniauth.
>
>> Right now I am not really happy with this since I can''t figure
out how
> the Rails app can use the login information retrieved via the mobile app to
> interact with the Facebook platform.
>
> I will write more as soon as I have further information.
>
> Regards,
>
> --
> Nicolas Desprès
>
>
>
The mobile app should do the login process. It then should send to the
server the "access token" given by Facebook.
With this token you are able to identify your user through the "graph
api".

Ignacio Piantanida

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida
<napoplate-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
> 2013/1/17 Nicolas Desprès
<nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
>>
>>
>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP
<vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>
>>> Hi folks.
>>>
>>
>> Hi,
>>
>>
>>>
>>> I''m building a rails app that provides an api for a mobile
app.
>>>
>>> I have the same setup.
>>
>>
>>> The mobile app requires the user to login through his facebook
account.
>>>
>>> My question is about who should be responsible for requesting the
login.
>>>
>>> The mobile app or the rails app.
>>>
>> So far, the mobile app login using the Facebook SDK and use that
>> information to log into the Rails app. The Rails server uses
>> Devise+Omniauth.
>>
>>> Right now I am not really happy with this since I can''t
figure out how
>> the Rails app can use the login information retrieved via the mobile
app to
>> interact with the Facebook platform.
>>
>> I will write more as soon as I have further information.
>>
>> Regards,
>>
>> --
>> Nicolas Desprès
>>
>>
>>
> The mobile app should do the login process. It then should send to the
> server the "access token" given by Facebook.
> With this token you are able to identify your user through the "graph
api".
>
Well this is point where I am stuck. As describe here :
https://developers.facebook.com/docs/howtos/login/server-side-login/ I
understand how works the server-side authentication process and it works
well using a web browser. What I don''t really understand are the steps
the
mobile app has to do. Does it have to follow all the redirection ? That
could imply to write a lot of code on the mobile app side. It does not look
like just a couple of GET and POST to send.

-- 
Nicolas Desprès

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès
<nicolas.despres@gmail.com
> wrote:
>
>
> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida
<napoplate-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
>
>> 2013/1/17 Nicolas Desprès
<nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>
>>>
>>>
>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP
<vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>
>>>> Hi folks.
>>>>
>>>
>>> Hi,
>>>
>>>
>>>>
>>>> I''m building a rails app that provides an api for a
mobile app.
>>>>
>>>> I have the same setup.
>>>
>>>
>>>> The mobile app requires the user to login through his facebook
account.
>>>>
>>>> My question is about who should be responsible for requesting
the login.
>>>>
>>>> The mobile app or the rails app.
>>>>
>>> So far, the mobile app login using the Facebook SDK and use that
>>> information to log into the Rails app. The Rails server uses
>>> Devise+Omniauth.
>>>
>>>> Right now I am not really happy with this since I
can''t figure out how
>>> the Rails app can use the login information retrieved via the
mobile app to
>>> interact with the Facebook platform.
>>>
>>> I will write more as soon as I have further information.
>>>
>>> Regards,
>>>
>>> --
>>> Nicolas Desprès
>>>
>>>
>>>
>> The mobile app should do the login process. It then should send to the
>> server the "access token" given by Facebook.
>> With this token you are able to identify your user through the
"graph
>> api".
>>
>
> Well this is point where I am stuck. As describe here :
> https://developers.facebook.com/docs/howtos/login/server-side-login/ I
> understand how works the server-side authentication process and it works
> well using a web browser. What I don''t really understand are the
steps the
> mobile app has to do. Does it have to follow all the redirection ? That
> could imply to write a lot of code on the mobile app side. It does not look
> like just a couple of GET and POST to send.
>
>
To be clearer I don''t understand how do you send the access token from
the
mobile app to the server. Currently I have two entry points in my JSON API
to authenticate. One for the custom authentication (using the account for
my web app, setup by devise) and another one for the facebook
authentication through the server-side flow (provided by omniauth). Should
I add another entry point to pass the access token ? It looks like a
security hole to me.

-- 
Nicolas Desprès

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Thanks for all the answers, folks.

I come to think that the flow to make this work would be the following:

1- Mobile App log into facebook and get the access token
2- Mobile App log into the web application with whatever method it''s
been
used for authentication passing along the access_token it got from facebook
3- Once logged in successfully, the rails app uses the mobile''s
access_token to interact with facebook

Is it right?




2013/1/21 Nicolas Desprès
<nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
>
> On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès <
> nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>>
>>
>> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida
<napoplate-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
>>
>>> 2013/1/17 Nicolas Desprès
<nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>>
>>>>
>>>>
>>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP
<vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>>
>>>>> Hi folks.
>>>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>>>
>>>>> I''m building a rails app that provides an api for
a mobile app.
>>>>>
>>>>> I have the same setup.
>>>>
>>>>
>>>>> The mobile app requires the user to login through his
facebook account.
>>>>>
>>>>> My question is about who should be responsible for
requesting the
>>>>> login.
>>>>>
>>>>> The mobile app or the rails app.
>>>>>
>>>> So far, the mobile app login using the Facebook SDK and use
that
>>>> information to log into the Rails app. The Rails server uses
>>>> Devise+Omniauth.
>>>>
>>>>> Right now I am not really happy with this since I
can''t figure out how
>>>> the Rails app can use the login information retrieved via the
mobile app to
>>>> interact with the Facebook platform.
>>>>
>>>> I will write more as soon as I have further information.
>>>>
>>>> Regards,
>>>>
>>>> --
>>>> Nicolas Desprès
>>>>
>>>>
>>>>
>>> The mobile app should do the login process. It then should send to
the
>>> server the "access token" given by Facebook.
>>> With this token you are able to identify your user through the
"graph
>>> api".
>>>
>>
>> Well this is point where I am stuck. As describe here :
>> https://developers.facebook.com/docs/howtos/login/server-side-login/ I
>> understand how works the server-side authentication process and it
works
>> well using a web browser. What I don''t really understand are
the steps the
>> mobile app has to do. Does it have to follow all the redirection ? That
>> could imply to write a lot of code on the mobile app side. It does not
look
>> like just a couple of GET and POST to send.
>>
>>
> To be clearer I don''t understand how do you send the access token
from the
> mobile app to the server. Currently I have two entry points in my JSON API
> to authenticate. One for the custom authentication (using the account for
> my web app, setup by devise) and another one for the facebook
> authentication through the server-side flow (provided by omniauth). Should
> I add another entry point to pass the access token ? It looks like a
> security hole to me.
>
> --
> Nicolas Desprès
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Mon, Jan 21, 2013 at 2:31 PM, Vitor HP
<vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Thanks for all the answers, folks.
>
> I come to think that the flow to make this work would be the following:
>
> 1- Mobile App log into facebook and get the access token
> 2- Mobile App log into the web application with whatever method
it''s been
> used for authentication passing along the access_token it got from facebook
> 3- Once logged in successfully, the rails app uses the mobile''s
> access_token to interact with facebook
>
> Is it right?
>
Yes. I also think this is the way to go. Apparently OAuth2 can do the
authentication using an access_token:
http://rubydoc.info/gems/oauth2/0.8.0/frames
I am trying to get this work with omniauth and devise.



2013/1/21 Nicolas Desprès
<nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
>
> On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès <
> nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>>
>>
>> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida
<napoplate-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
>>
>>> 2013/1/17 Nicolas Desprès
<nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>>
>>>>
>>>>
>>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP
<vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>>
>>>>> Hi folks.
>>>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>>>
>>>>> I''m building a rails app that provides an api for
a mobile app.
>>>>>
>>>>> I have the same setup.
>>>>
>>>>
>>>>> The mobile app requires the user to login through his
facebook account.
>>>>>
>>>>> My question is about who should be responsible for
requesting the
>>>>> login.
>>>>>
>>>>> The mobile app or the rails app.
>>>>>
>>>> So far, the mobile app login using the Facebook SDK and use
that
>>>> information to log into the Rails app. The Rails server uses
>>>> Devise+Omniauth.
>>>>
>>>>> Right now I am not really happy with this since I
can''t figure out how
>>>> the Rails app can use the login information retrieved via the
mobile app to
>>>> interact with the Facebook platform.
>>>>
>>>> I will write more as soon as I have further information.
>>>>
>>>> Regards,
>>>>
>>>> --
>>>> Nicolas Desprès
>>>>
>>>>
>>>>
>>> The mobile app should do the login process. It then should send to
the
>>> server the "access token" given by Facebook.
>>> With this token you are able to identify your user through the
"graph
>>> api".
>>>
>>
>> Well this is point where I am stuck. As describe here :
>> https://developers.facebook.com/docs/howtos/login/server-side-login/ I
>> understand how works the server-side authentication process and it
works
>> well using a web browser. What I don''t really understand are
the steps the
>> mobile app has to do. Does it have to follow all the redirection ? That
>> could imply to write a lot of code on the mobile app side. It does not
look
>> like just a couple of GET and POST to send.
>>
>>
> To be clearer I don''t understand how do you send the access token
from the
> mobile app to the server. Currently I have two entry points in my JSON API
> to authenticate. One for the custom authentication (using the account for
> my web app, setup by devise) and another one for the facebook
> authentication through the server-side flow (provided by omniauth). Should
> I add another entry point to pass the access token ? It looks like a
> security hole to me.
>
> --
> Nicolas Desprès
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
 --
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.





-- 
Nicolas Desprès

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

I am interested in doing this as well.  My setup is the same.

On ''sign up with facebook'', do you create a devise user and
password in the
rails api?  What would the password be?  or can devise be set to handle the 
two scenarios?

I was thinking storing the oauth token as the password, but not sure if 
that is secure or makes sense.

Currently I have api calls for setting up a devise user or logging in with 
a devise email and password,  and the token for subsequent calls by that 
user.


What would be the api enpoints that I need to create to allow both facebook 
signup and traditional signup?

On Monday, January 21, 2013 9:09:03 AM UTC-5, Nicolas Desprès
wrote:
>
>
>
> On Mon, Jan 21, 2013 at 2:31 PM, Vitor HP
<vito...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <javascript:>
> > wrote:
>
>> Thanks for all the answers, folks.
>>
>> I come to think that the flow to make this work would be the following:
>>
>> 1- Mobile App log into facebook and get the access token
>> 2- Mobile App log into the web application with whatever method
it''s been
>> used for authentication passing along the access_token it got from
facebook
>> 3- Once logged in successfully, the rails app uses the
mobile''s
>> access_token to interact with facebook
>>
>> Is it right?
>>
>
> Yes. I also think this is the way to go. Apparently OAuth2 can do the 
> authentication using an access_token: 
> http://rubydoc.info/gems/oauth2/0.8.0/frames
> I am trying to get this work with omniauth and devise.
>
>
>
> 2013/1/21 Nicolas Desprès
<nicolas...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <javascript:>>
>
>>
>>
>> On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès
<nicolas...-Re5JQEeQqe8@public.gmane.orgm<javascript:>
>> > wrote:
>>
>>>
>>>
>>> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida
<napo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org<javascript:>
>>> > wrote:
>>>
>>>> 2013/1/17 Nicolas Desprès
<nicolas...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org <javascript:>>
>>>>
>>>>>
>>>>>
>>>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP
<vito...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org<javascript:>
>>>>> > wrote:
>>>>>
>>>>>> Hi folks.
>>>>>>
>>>>>
>>>>> Hi,
>>>>>  
>>>>>
>>>>>>
>>>>>> I''m building a rails app that provides an api
for a mobile app.
>>>>>>
>>>>>> I have the same setup.
>>>>>  
>>>>>
>>>>>> The mobile app requires the user to login through his
facebook
>>>>>> account.
>>>>>>
>>>>>> My question is about who should be responsible for
requesting the
>>>>>> login.
>>>>>>
>>>>>> The mobile app or the rails app.
>>>>>>
>>>>> So far, the mobile app login using the Facebook SDK and use
that
>>>>> information to log into the Rails app. The Rails server
uses
>>>>> Devise+Omniauth. 
>>>>>
>>>>>> Right now I am not really happy with this since I
can''t figure out
>>>>> how the Rails app can use the login information retrieved
via the mobile
>>>>> app to interact with the Facebook platform.
>>>>>
>>>>> I will write more as soon as I have further information.
>>>>>
>>>>> Regards,
>>>>>
>>>>> -- 
>>>>> Nicolas Desprès
>>>>>
>>>>>
>>>>>
>>>> The mobile app should do the login process. It then should send
to the
>>>> server the "access token" given by Facebook.
>>>> With this token you are able to identify your user through the
"graph
>>>> api".
>>>>
>>>
>>> Well this is point where I am stuck. As describe here : 
>>>
https://developers.facebook.com/docs/howtos/login/server-side-login/ I
>>> understand how works the server-side authentication process and it
works
>>> well using a web browser. What I don''t really understand
are the steps the
>>> mobile app has to do. Does it have to follow all the redirection ?
That
>>> could imply to write a lot of code on the mobile app side. It does
not look
>>> like just a couple of GET and POST to send.
>>>
>>>
>> To be clearer I don''t understand how do you send the access
token from
>> the mobile app to the server. Currently I have two entry points in my
JSON
>> API to authenticate. One for the custom authentication (using the
account
>> for my web app, setup by devise) and another one for the facebook 
>> authentication through the server-side flow (provided by omniauth).
Should
>> I add another entry point to pass the access token ? It looks like a 
>> security hole to me.
>>  
>> -- 
>> Nicolas Desprès
>>  
>> -- 
>> You received this message because you are subscribed to the Google
Groups
>> "Ruby on Rails: Talk" group.
>> To post to this group, send email to
rubyonra...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<javascript:>
>> .
>> To unsubscribe from this group, send email to 
>> rubyonrails-ta...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
<javascript:>.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>  
>>  
>>
>
>  -- 
> You received this message because you are subscribed to the Google Groups 
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonra...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<javascript:>
> .
> To unsubscribe from this group, send email to 
> rubyonrails-ta...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
<javascript:>.
> For more options, visit https://groups.google.com/groups/opt_out.
>  
>  
>
>
>
> -- 
> Nicolas Desprès
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/PeIqXUKtSPAJ.
For more options, visit https://groups.google.com/groups/opt_out.

On Mon, Jan 21, 2013 at 12:10 PM, Nicolas Desprès
<nicolas.despres@gmail.com
> wrote:
>
>
> On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès <
> nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>>
>>
>> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida
<napoplate-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
>>
>>> 2013/1/17 Nicolas Desprès
<nicolas.despres-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>>
>>>>
>>>>
>>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP
<vitorhp2-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>>
>>>>> Hi folks.
>>>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>>>
>>>>> I''m building a rails app that provides an api for
a mobile app.
>>>>>
>>>>> I have the same setup.
>>>>
>>>>
>>>>> The mobile app requires the user to login through his
facebook account.
>>>>>
>>>>> My question is about who should be responsible for
requesting the
>>>>> login.
>>>>>
>>>>> The mobile app or the rails app.
>>>>>
>>>> So far, the mobile app login using the Facebook SDK and use
that
>>>> information to log into the Rails app. The Rails server uses
>>>> Devise+Omniauth.
>>>>
>>>>> Right now I am not really happy with this since I
can''t figure out how
>>>> the Rails app can use the login information retrieved via the
mobile app to
>>>> interact with the Facebook platform.
>>>>
>>>> I will write more as soon as I have further information.
>>>>
>>>> Regards,
>>>>
>>>> --
>>>> Nicolas Desprès
>>>>
>>>>
>>>>
>>> The mobile app should do the login process. It then should send to
the
>>> server the "access token" given by Facebook.
>>> With this token you are able to identify your user through the
"graph
>>> api".
>>>
>>
>> Well this is point where I am stuck. As describe here :
>> https://developers.facebook.com/docs/howtos/login/server-side-login/ I
>> understand how works the server-side authentication process and it
works
>> well using a web browser. What I don''t really understand are
the steps the
>> mobile app has to do. Does it have to follow all the redirection ? That
>> could imply to write a lot of code on the mobile app side. It does not
look
>> like just a couple of GET and POST to send.
>>
>>
> To be clearer I don''t understand how do you send the access token
from the
> mobile app to the server. Currently I have two entry points in my JSON API
> to authenticate. One for the custom authentication (using the account for
> my web app, setup by devise) and another one for the facebook
> authentication through the server-side flow (provided by omniauth). Should
> I add another entry point to pass the access token ? It looks like a
> security hole to me.
>
> Finally, I got it right and there is no security hole to pass the access
token. It should be done via https, though.

-- 
Nicolas Desprès

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Sat, Jan 26, 2013 at 7:33 PM,
<john-sGtEzQP6IMqgSpxsJD1C4w@public.gmane.org> wrote:
> I am interested in doing this as well.  My setup is the same.
>
> On ''sign up with facebook'', do you create a devise user
and password in
> the rails api?  What would the password be?  or can devise be set to handle
> the two scenarios?
>
> I was thinking storing the oauth token as the password, but not sure if
> that is secure or makes sense.
>
> Currently I have api calls for setting up a devise user or logging in with
> a devise email and password,  and the token for subsequent calls by that
> user.
>
>
> What would be the api enpoints that I need to create to allow both
> facebook signup and traditional signup?
>
For traditional sign up I use the json route set up by Devise.
For facebook sign up, I added my own json route which:
1/ take the facebook access token as parameter
2/ check it is valid by fetching user info from Facebook like this:
    client = OAuth2::Client.new(
      ENV[''FACEBOOK_APP_ID''],
      ENV[''FACEBOOK_APP_SECRET''],
      site: ''https://graph.facebook.com'')
    token = OAuth2::AccessToken.new(client, params[:access_token])
    user_info =
ActiveSupport::JSON.decode(token.get(''/me'').body)
  (the user info are used to create the entry in the DB)
3/ sign in using Devise method: sign_in @user, :event => :authentication
#this will throw if @user is not activated

The access token is then stored in the session for later use.

Cheers,
Nico

> On Monday, January 21, 2013 9:09:03 AM UTC-5, Nicolas Desprès wrote:
>>
>>
>>
>> On Mon, Jan 21, 2013 at 2:31 PM, Vitor HP
<vito...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>
>>> Thanks for all the answers, folks.
>>>
>>> I come to think that the flow to make this work would be the
following:
>>>
>>> 1- Mobile App log into facebook and get the access token
>>> 2- Mobile App log into the web application with whatever method
it''s
>>> been used for authentication passing along the access_token it got
from
>>> facebook
>>> 3- Once logged in successfully, the rails app uses the
mobile''s
>>> access_token to interact with facebook
>>>
>>> Is it right?
>>>
>>
>> Yes. I also think this is the way to go. Apparently OAuth2 can do the
>> authentication using an access_token: http://rubydoc.info/gems/**
>> oauth2/0.8.0/frames
<http://rubydoc.info/gems/oauth2/0.8.0/frames>
>> I am trying to get this work with omniauth and devise.
>>
>>
>>
>> 2013/1/21 Nicolas Desprès
<nicolas...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>
>>>
>>>
>>> On Mon, Jan 21, 2013 at 11:41 AM, Nicolas Desprès
<nicolas...@gmail.com>wrote:
>>>
>>>>
>>>>
>>>> On Thu, Jan 17, 2013 at 7:35 PM, Ignacio Piantanida
<napo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>wrote:
>>>>
>>>>> 2013/1/17 Nicolas Desprès
<nicolas...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>>>>
>>>>>
>>>>>>
>>>>>> On Wed, Jan 16, 2013 at 6:17 PM, Vitor HP
<vito...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>>>>>
>>>>>>> Hi folks.
>>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> I''m building a rails app that provides an
api for a mobile app.
>>>>>>>
>>>>>>> I have the same setup.
>>>>>>
>>>>>>
>>>>>>> The mobile app requires the user to login through
his facebook
>>>>>>> account.
>>>>>>>
>>>>>>> My question is about who should be responsible for
requesting the
>>>>>>> login.
>>>>>>>
>>>>>>> The mobile app or the rails app.
>>>>>>>
>>>>>> So far, the mobile app login using the Facebook SDK and
use that
>>>>>> information to log into the Rails app. The Rails server
uses
>>>>>> Devise+Omniauth.
>>>>>>
>>>>>>> Right now I am not really happy with this since I
can''t figure out
>>>>>> how the Rails app can use the login information
retrieved via the mobile
>>>>>> app to interact with the Facebook platform.
>>>>>>
>>>>>> I will write more as soon as I have further
information.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> --
>>>>>> Nicolas Desprès
>>>>>>
>>>>>>
>>>>>>
>>>>> The mobile app should do the login process. It then should
send to the
>>>>> server the "access token" given by Facebook.
>>>>> With this token you are able to identify your user through
the "graph
>>>>> api".
>>>>>
>>>>
>>>> Well this is point where I am stuck. As describe here :
>>>> https://developers.facebook.**com/docs/howtos/login/server-**
>>>>
side-login/<https://developers.facebook.com/docs/howtos/login/server-side-login/>I
understand how works the server-side authentication process and it works
>>>> well using a web browser. What I don''t really
understand are the steps the
>>>> mobile app has to do. Does it have to follow all the
redirection ? That
>>>> could imply to write a lot of code on the mobile app side. It
does not look
>>>> like just a couple of GET and POST to send.
>>>>
>>>>
>>> To be clearer I don''t understand how do you send the
access token from
>>> the mobile app to the server. Currently I have two entry points in
my JSON
>>> API to authenticate. One for the custom authentication (using the
account
>>> for my web app, setup by devise) and another one for the facebook
>>> authentication through the server-side flow (provided by omniauth).
Should
>>> I add another entry point to pass the access token ? It looks like
a
>>> security hole to me.
>>>
>>> --
>>> Nicolas Desprès
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ruby on Rails: Talk" group.
>>> To post to this group, send email to
rubyonra...@googlegroups.**com.
>>> To unsubscribe from this group, send email to rubyonrails-ta...@**
>>> googlegroups.com.
>>>
>>> For more options, visit
https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>
>>> .
>>>
>>>
>>>
>>
>>  --
>> You received this message because you are subscribed to the Google
Groups
>> "Ruby on Rails: Talk" group.
>> To post to this group, send email to rubyonra...@googlegroups.**com.
>> To unsubscribe from this group, send email to rubyonrails-ta...@**
>> googlegroups.com.
>>
>> For more options, visit
https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out>
>> .
>>
>>
>>
>>
>>
>> --
>> Nicolas Desprès
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To view this discussion on the web visit
> https://groups.google.com/d/msg/rubyonrails-talk/-/PeIqXUKtSPAJ.
>
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>


-- 
Nicolas Desprès

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.