StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POThe "right" way to do oAuth from a mobile client
text
Body
copied!<p>I am building a cross platform mobile application (using the Xamarian tools, MonoTouch / MonoDroid). I am trying to work through the authentication workflow and am running into a stumbling block. I have searched all over for a clear answer and have yet to find it.</p> <p>Here is an overview of my current setup.</p> <p>I have a web site built in nodejs. I use passport.js to do oAuth login on the web site. This works great, users can login to my site using Twitter or Facebook.</p> <p>Now I want to extend this same login functionality to my mobile clients.</p> <p>I see 2 options </p> <ol> <li><p>Embed the app id and app secret's in the mobile clients and make direct oAuth calls to FB or Twitter from the mobile app</p></li> <li><p>Proxy the oAuth calls through my existing nodejs web server (keeping the secret keys on the server) </p></li> </ol> <p>Option 2 appears to be the preferred way (as it avoids having to "ship" the secret in the mobile apps).</p> <p>I have the proxy approach mostly working. </p> <ol> <li>I open a WebView in my mobile client and point it at <code>http://mysever/auth/twitter</code></li> <li>This runs through my existing passport.js code and redirects the mobile WebView over to the Twitter login page.</li> <li>The user then enters their creds on the twitter webpage on the device.</li> <li>Twitter then calls my oAuth callback URL (which is my nodejs web server). </li> <li>My server and Twitter handle the back a fourth handshake of obtaining the user profile information (<strong>As I understand it, this is the key to this approach, my server and twitter handle the handshake, the mobile client doesn't have to do anything or pass any tokens during this process</strong>)</li> </ol> <p><strong>Here is my problem</strong>:</p> <ol> <li><p>It is this last step that stumps me. Once the handshake is complete on my server I have the user information I need on the server and <strong>need to send it back to the mobile client application</strong></p> <p>I can't figure out any way in the WebView control to grab the response object and grab a cookie, or header value (for instance) (this seems true for Android and iOS). I don't think it is platform specific. I think I am trying to do something that a WebView widget in mobile platforms just don't suport. It makes me think I am missing something obvious.</p></li> </ol> <p>The only thing I have figured out is to have my web server "redirect" the mobile client browser to a fake URL that has the user info in the querystring. Something like myapp://info?userid=1234</p> <p>Then in the mobile app I can hijack the URL loading and grab this url and get the data I need. I can then stash this userinfo, close the WebView control and move on to a native screen in my mobile application and user the userinfo in any subsequent REST calls to my nodejs server as a means of identifying the user.</p> <p>This is massively kludgy for multiple reasons. The biggest of which is that the url is sent over the wire unencrypted and has all the data in plain text.</p> <p><strong>There has to be a better way to get the data from the web server back to the mobile client?</strong> </p> <p>Or am I doing it all wrong?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload