0

my company is developing a system that works as follows:

there is an iphone/mobile app and a php server that offers rest services.

in the mobile app,the user can register/login in 2 ways:

  1. username/password couple
  2. facebook account

while the point 1. is quite clear, i am in difficulty with the point number 2:

from what i understand , the sequence should be something like the following:

1 - the app sends to fb user data, and fb in some way that i don't care authenticate the user and answer with "ok, it's you". 2- the app must now request to the php server some user data.

how can i authenticate the communication between the server and the app, after the user has logged with fb in the app ?

i can't just ask "send me the data of the user fbid" because with a simple request that could be retrieved by anyone.

Stormsson
  • 1,391
  • 2
  • 16
  • 29
  • using fb graph api you can get fb user id ,name, avatar and other info.. can you use DB to store these and communicate with server? – iMeMyself Aug 22 '12 at 10:58
  • yes,but i don't understand the communication part. i mean: let's say that everything is stored on the db. when the app requests the data how can the server authenticate the fact that that request is allowed? i should submit to the server something that identify me, but something that the server can recognize, if i only submit the fbid, anyone from whatever php script could try random fbid until it gets one – Stormsson Aug 22 '12 at 11:42
  • also, when the app authenticate the user in fb, i must save the user data in the server db. so there should be data transfer from the app to the server. and even in this case i have the same problem – Stormsson Aug 22 '12 at 11:56

1 Answers1

4

That's why you use the "secret key" (part of facebook settings).

When a user logs in via your app, they give approval to share info with your app and get given a token - the token is a session id. That session Id can only be used by that user, from that phone with your app - unless you have the "secret key".

The phone then passes that session ID to the server.

The server then passes the token, along with the secret key, and facebook gives the server back the same information as it would the user on the phone. That's how it authenticates.

Anyone else (other than the user on the phone) not having the secret key, and the token is useless.

Robbie
  • 17,605
  • 4
  • 35
  • 72
  • does this mean that all the users share the same private key that is the app secret? and also that all the transactions are made with a private-public key system? – Stormsson Aug 22 '12 at 12:43
  • No. Users have their own "private key" - their password. The item you share is your AppID. They use their password to prove who they are, passing along with your Facebook AppID to tell Facebook that "Anyone with the App's Secret Key, and my token, can access certain parts of my data". You use your App's Secret Key to confirm it's your App calling, and get hold of that data. This is very different from a public/private key encryption algorithm. – Robbie Aug 22 '12 at 12:50
  • i'm sorry if i insist, but i must understand fully,and i'm missing something: when the user do the fb login in the iphone/android app, it communicates with fb and do the login in the app. Now in the app resides a fb-logged user. at this point i need to send to the server the user data payload to create the various stuff in the db. i don't understand what should i send to the server... what i'm sure is that: 1) obviously is not the clean payload. 2) there must be the fb user id to create a unique record – Stormsson Aug 22 '12 at 13:04
  • 1
    When the user logs in on the phone, they are given a token (call it a "session id" if you like). The phone sends that token to the server. The server uses that token (which identifies the user) and secret key (which identifies the app) to get the user's data from facebook. The data from facebook includes the user's facebook id, name etc. – Robbie Aug 22 '12 at 13:09
  • Ok , so after i registered, if a fb-logged user must ask the server some service, it sends to a server uri the access token and various parameters, the server retrieves the fbid by requesting it directly to fb (with access token and app secret key), recognizes the user in the db ,and then offers the services. Is this interpretation correct? – Stormsson Aug 22 '12 at 13:34
  • Yes. I think you've understood. Give it a try - it becomes clearer when you do it. – Robbie Aug 22 '12 at 13:38
  • Thank you very much, i will now test it – Stormsson Aug 22 '12 at 13:40