14

So my intention is to have a login in my iOS app that allows for either our standard email/pwd registration, or login with Facebook. We are also creating rest services to get application info for a given user, e.g. https://url/getPosts/[userId]?userPwd=foo

I've implemented SSO with fb in a web application before but I have some concerns about the security of authentication in a iOS client scenario. The key difference from what I've done before is that in a web app, I was making a server to server call to Facebook to get the access token so I was reasonably assured that the user was authenticated and the web server made privileged calls to the database. In the iOS case, I have the mobile client app making the Facebook iOS authentication request itself and the server has to somehow trust that this user from the client app is indeed authenticated against the matching user record in our database.

My question is how do I generate a durable and secret unique key from the iOS SDK so that I can create and associate a matching user record in our database for users that authenticate only with Facebook. I want this to be seamless so the user would not have to manually fill out another form, and we would just automatically create this matching user record in our db.

I could insert a record into my own users table when they fbDidLogin with Facebook, using the Facebook Id as the unique identifier, and the fb access token as the pseudo password/key for my own user record. I would have to validate the access token with Facebook to make sure it's valid before saving it as a password for the user (the user would never see this password, it would just be passed by the client app during api calls). That way when the user makes a call to our own rest api via the iPhone app we can authenticate and authorize using this secret/pwd/key.

An alternative that would make this whole question moot is to just handle the authorization logic on the client app, and check that there is a valid fb session before making calls to our own apis which I secure with just a single application-wide secret, but that doesn't seem as secure since getting that one secret gives authorization to data on all users. I'd rather authorize at an individual user level. Is that the right choice? Am I being paranoid about iOS security?

The fb access token expires so that might not seem durable, however if I enable offline access that token won't expire but creates a scarier looking oauth dialog window. An alternative to the access token is to hash the fb Id with an application secret key on the iOS client, and use that as the Facebook user's password in our db. However, that again is a single secret key that could perhaps be reverse compiled from the iOS client app?

MonkeyBonkey
  • 40,521
  • 63
  • 217
  • 426

3 Answers3

13

Design for Facebook authentication in an iOS app that also accesses a secured web service

This post helped me undesrtand it more. If I am not mistaken, the flow goes like this:

  1. User authenticates in iOS app
  2. iOS app takes auth token, sends it to the rails app
  3. Rails app takes auth token and sends it to graph.facebook.com/?auth_token=XXX to get back the user if authentication was successful.
  4. Rails app takes the user info and matches/creates user in own database table. Sends some kind of authentication key back to iOS app.
  5. iOS app saves the authentication key so it can use it to communicate with the rails app.

Let me know if I am missing anything.

Community
  • 1
  • 1
chourobin
  • 3,674
  • 4
  • 33
  • 48
  • Hello! In point 4 and 5, when you say "authentication key",do you mean something like a session cookie? Now I'm trying to integrate facebook login into my app, and currently my client-server architecture uses basic authentification and ssl. Can I integrate faacebook login into my current model? Thanks in advance :) – Ricardo Mar 11 '12 at 14:35
  • 1
    the authentication key is like an api key just for your rails app. it helps your ios app and rails app communicate securely so you can make changes like modify user info etc. just add a column in your user db for api_key and generate it when a new user is created. http://www.justinbritten.com/work/2009/05/rails-api-authentication-using-restful-authentication/ – chourobin Mar 11 '12 at 22:27
0

Have you looked at the iOS docs for Single Sign On (SSO)? https://developers.facebook.com/docs/guides/mobile/#ios

You can share an app ID across mobile, canvas and web site and the same user auth works for each environment.

Check out: https://developers.facebook.com/docs/authentication/

Facebook Platform provides a number of ways to use the above OAuth flows in different app types, including Websites, Apps on Facebook.com, Mobile and Desktop Apps.

CPD
  • 427
  • 2
  • 11
  • In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the normal steps to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission. – CPD Sep 09 '11 at 13:34
  • Hi Charles, yup, I've already looked at that document and I've implemented similar scenarios in a web environment. The docs mainly focus on scenarios where you use fb as your user provider and doesn't necessarily address the best methods for combining a hybrid user. My main concern is what changes I might have to accommodate for security on a an iOS client app. In a web app I would just make a server to server call to fb to get the auth token, so was reasonably assured of security. However, in the iOS case, the client is making the call, and I have some concerns about security in that case – MonkeyBonkey Sep 09 '11 at 14:43
  • You should be able to re-get the auth token server side, as long as the user has not de-authed your app or uninstalled your app. If they have you can send a fail to the iOS client and then have the user re-auth. It's best practice to hold your own database of user ids and connect the FB user toi your internal representation -- it gives you one level of indirection between the FB UID and you own UID. You can also user FK constraints in you DB that way. For non-FB users, you need to build your own auth -- best idea is to use the reg plug-in. Or just use FB users! – CPD Sep 09 '11 at 17:03
  • 1
    Charles, this all hinges on being able to "re-get the auth token server side" as you said. But I can't find in the docs how to do this? Can you point me to the right place? All I need (I have a similar problem to MonkeyBonkey) is a way to, server-side, ensure the user's Facebook login is still current, but I can't find this. – user700774 Oct 10 '11 at 21:11
  • I think this is what you want: https://developers.facebook.com/docs/mobile/ios/build/#extend_token – Ricardo Mar 11 '12 at 14:51
-3

You just need to insert users Facebook key to your database to know if its authenticated with Facebook. Use OAuth at ios side authenticate user take users secret key send it to your rest web-service and save it with users other info.

bkaid
  • 49,467
  • 20
  • 108
  • 126
Hardik Soni
  • 87
  • 1
  • 7
  • I assume that you are saying the secret key is the user's auth token that we get back from fb? What about scenarios where the authtoken expires? I suppose I can just update the authToken in our user database every time the user refreshes their Facebook session... – MonkeyBonkey Sep 09 '11 at 13:10
  • auth token do not expire as u saying.. The key m saying is 32 latter key u might knw abt it. if u insert it in database and than u can perform all nessesry performances with it like wall post. (ie: its graph api see developer.facebook.com for more info) – Hardik Soni Sep 12 '11 at 05:45
  • I have the same concern here. Say I login with facebook and retrieve the UID which can be matched against my own User DB. If I want to modify an attribute on my own User table, do I just post to the user with the matching UID? Does that mean potentially anyone can modify my User table if they know the UID? – chourobin Oct 27 '11 at 23:24
  • I am not getting yours quetion please specify. – Hardik Soni Nov 25 '11 at 13:40