2

I have created the SDK and now want to integrate oauth for authentication process. Now I want to do same as Facebook SDK do, if client app is already installed and login, it switch to that app ask for permission and switch back to app who wants to authorise it. if client app is not there is will open the webpage and on login ask for permission and then redirect to my app after login.

We have implemented the oauth on server but not sure which grant_type we will use to achieve the above functionality. We can not store the password in client app.

Let me know if anyone has idea how to achieve this functionality and implementing the same flow as other SDKs(Facebook, Twitter) does.

Manish Agrawal
  • 10,650
  • 5
  • 41
  • 74

2 Answers2

2

For mobile based apps use the following URL for authentication:

POST https://api.example.com/token
grant_type=authorization_code&
code=AUTH_CODE_HERE&
redirect_uri=REDIRECT_URI&
client_id=CLIENT_ID

Pass the authentication code from the app if user is login else if user is not login first navigate to login page, on successful login authorization page come as-usual. NOTE: It might be unsecure as we are sending the code in query param, but doing it in request over ssl enhanced security.

For browser authentication 

https://example.com/auth?response_type=token& client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos

where authentication picks the login session if user is already login.

Manish Agrawal
  • 10,650
  • 5
  • 41
  • 74
0

I think you already answered your own question when you said "I want to do same as Facebook SDK does".

Facebook SDK provides the framework for detecting if Facebook application is installed in order to avoid signing up through WebView interface. Google also provides an authentication and authorization API through Google+ sign instead of a browser. As you can see:

enter image description here

the documentation suggests using the right device infrastructure rather than the system browser.

According to this post, it is possible detecting programmatically check if an application is installed. For Android, I think that boths SDK check if their related apps are installed when you trigger the sign up/in/out process and invoke the system browser if necessary.

Thus, in order to provide a generic OAuth 2.0, you also could do the same programmatically, but I guess that drilling this information, pick the right application, and launch it won't be an easy task.

Community
  • 1
  • 1
JP Ventura
  • 4,663
  • 5
  • 43
  • 62
  • Detecting application is not really challenged, my question is more towards oAuth implementation, i.e. how we can pass the token to server to use SSO and correct flow of oAuth flow. – Manish Agrawal Aug 08 '14 at 04:35
  • One possibility is passing the token to the server through the HTTPS authorization header request. The server could check the 'expires_in' accessing the OAuth 2.0 provider and only reply your requests while the token is valid. When it expires, you would return ERROR 401, forcing your SDK renew the token on the application side. Other possibility is hybrid authorization: you obtain from the OAuth 2.0 entity an access_token, and a one-time code. This code is sent to your server and it exchanges by its own access_token and id_token. Take a look at http://goo.gl/nOEbFC – JP Ventura Aug 08 '14 at 09:23