What is the best way to login to the application via facebook and login to a rest (spring boot) server?

9

I'm creating an app with react native where I log in to facebook and I also have information from this user, created after login, on a rest server that I developed with spring boot.

As the rest server will not have a password because the user has already logged in via facebook, what is the best way to authenticate calls on the server?

    
asked by anonymous 27.10.2017 / 20:36

1 answer

6

If you integrate your application authentication with Facebook, and your application is not a Facebook-specific app, then you use the OAuth protocol.

There is a lot to talk about and study about this protocol, but for now you just need to know the following: when signing in to Facebook - or Google, Microsoft, Yahoo! etc. - the user obtains an access token for the application that requested the authentication. This token is reported by the client application to the server. The token is valid for a set time and only for the application that requested authentication.

The Oauth stream looks like this ( removed from this page ):

So,inorder:

1-Userrequeststoauthenticatewithanidentityprovider(inthiscase,Facebook);2-Usersays"My body, my body is ready.Return to me! ";

Between step 2 and step 3, the Caralivro authentication screen appears. At some point here the user will be authenticated in Face.

3 - The result of step 2 is that the application receives a token. Your application now informs this token for Facebook;
4 - Facebook confirms that the token it received is the same one it gave to the user. From here you can consider the user authenticated.

If your application is web, served over HTTP, you can skip steps 5 and 6. Otherwise, consider that the resource server is your HTTP server, and Application in the diagram is a desktop or mobile application.

With this in mind, just check that the user's requests come with the correct token. Other security measures can be used, such as ensuring that tokens are short-lived, validate that a token always comes from the same IP within its lifetime, and so on. But these are matters for other questions.

    
27.10.2017 / 20:52