Design For Facebook Authentication in an iOS App That Also Accesses a Secured Web Service

Design for Facebook authentication in an iOS app that also accesses a secured web service

I just dealt with this myself, and here's the part that bit me:

In your step 5... It's possible for a user to register for an account with you entirely separate from their Facebook ID, right? Then some other time they log in with Facebook.... And you just created them a second account and lost their first one.

There needs to be a way to be logged in to your web service, then log in to facebook, and capture the association between the facebook ID and the local account.

Apart from that, your plan sounds solid.

Update: Facebook has added a doc outlining such a scenario HERE

Handling User Auth (via Facebook) and secure communication within an app

If you make the server fetch the user info using the access token you can do something like this:

  1. do client side OAuth authentication and receive an access token
  2. send the access token to your backend and get the user info including the Facebook ID with the Facebook API using this token
  3. The server will store the hashed ID (cookie = id + ":" + hash(id + secret)) in an HTTP cookie
  4. Do your registration/login thing
  5. On each request to the backend of the server will validate the id from the cookie by recomputing the hash with the secret and comparing it with the value from the cookie

Spoofing facebook app ID

To summarize for anyone else who happens to contemplate this - there is indeed no way to prevent the client ID from being spoofed. This is one reason that developers are discouraged from using the OAuth implicit flow in native apps as pointed out by Andre D in

the use of the Implicit Flow with native apps is NOT


In practice, if anyone mounts this attack, then the user will download App A (a malicious app) and will then be asked to authorize App B to make actions on their behalf. As far as I can tell, this is generally the only indication that an attack is taking place.

For a hybrid SSO scenario using the Facebook iOS SDK, what's the best way generating a password/key for our own custom user records?

Design for Facebook authentication in an iOS app that also accesses a secured web service

This post helped me undesrtand it more. If I am not mistaken, the flow goes like this:

  1. User authenticates in iOS app
  2. iOS app takes auth token, sends it to the rails app
  3. Rails app takes auth token and sends it to to get back the user if authentication was successful.
  4. Rails app takes the user info and matches/creates user in own database table. Sends some kind of authentication key back to iOS app.
  5. iOS app saves the authentication key so it can use it to communicate with the rails app.

Let me know if I am missing anything.

How to secure web service methods using tokenization for Facebook logins?

We can use the User Access Token which will be received from Facebook once the User gave the permissions to the application.

How to allow mobile apps to login with Facebook and Google to access web service on GAE?

Looks like you have an app and a backend on GAE.
If you are using google identity toolkit, it will allow you to signin with Facebook, Google, and email/password.

When user successfully signs in to your app using identity toolkit, your server should receive a gtoken. You have two options here:

  1. Pass the gtoken to your app and save it there. When your app makes API calls to your backend, you app should attach the gtoken to every request. Your backend should verify the gtoken( for every API that needs authorization.
  2. Verify the gtoken, generate a token that your backend can recognize/identify the user. Then pass the token to your app and everything else is the same as option 1.

If you do not want to use identity toolkit, you can implement facebook login on your app/backend and use facebook token to communicate between your app and backend.

Whatever your decision is, apps that use your API should pass you something that your backend can recognize/authorize the user.

Related Topics

Leave a reply