Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>I am trying to answer the same question and have been going through a lot of reading recently...</p> <p>I won't have "the" answer but things are getting a little clearer for me. Have you read the comments in <a href="http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/" rel="noreferrer">the article you mentioned</a>? I found them really interesting and helpful.</p> <p>As a result, and in the light of how things have evolved since the first article has been written, here's what I think I'll do:</p> <ul> <li><p>HTTPS everywhere — this allows you to forget about HMAC, signing, nonce, ...</p></li> <li><p>Use OAuth2:</p> <ul> <li><p>When authentication requests come from my own apps/website, use this 'trick' (or a variation of it) described in a <a href="http://ahmetalpbalkan.com/blog/designing-a-secure-rest-api-with-oauth2-you-can-be-proud-of/" rel="noreferrer">reply to the article</a> mentioned before.</p></li> <li><p>In my case, I have two types of users: those with classic login/password credentials and those who have signed up with Facebook Connect.<br> So I'd provide a regular login form with a "Login with Facebook" button. If the user logs in with his "classic" credentials, I'd just send these to my OAuth2 endpoint with a <code>grant_type=password</code>.<br> If he chooses to log in via Facebook, I think that would be a two-steps process:</p> <ul> <li>First, use Facebook iOS SDK to open an FBSession</li> <li>When that's done and the app is given back control, there should be a way to get a Facebook ID for that user. I'd send this ID alone to my OAuth2 endpoint with an <a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-30#section-4.5" rel="noreferrer">extension grant</a> understood by my server as "using an FB User ID".</li> </ul></li> </ul></li> </ul> <p>Please note that I am still heavily researching on all this stuff, so that might not be a perfect answer... maybe not even a correct one! But I think that would make for a good starting point. The idea of using an "extension grant" for the Facebook authentication might involve having to register it to do things properly? I'm not quite sure.</p> <p>Anyway, I hope I was able to help you even a bit, and that at least it can start a discussion to find the best solution to this problem :)</p> <p><strong>Update</strong><br> The Facebook login is not a solution as pointed in the comments: anybody could send an arbitrary user ID and log in as this user on the API.</p> <p>What about doing it like this:</p> <ul> <li>Show a login form with a "Facebook login" button</li> <li>If this login method is chosen, act kinda like the Facebook SDK: open a web page from your authentication server, which will initiate the Facebook login.</li> <li>Once the user has logged in, Facebook will use your redirect URL to confirm; make that URL point to another endpoint of your authentication server (possibly with an extra parameter indicating the call came from an app?)</li> <li>When the authentication endpoint is hit, the authentication can securely identify the user, retain its FB User ID/FB Session and return an access token to your app using a custom URL scheme, just like the Facebook SDK would do</li> </ul> <p>Looks better?</p>
    singulars
    1. This table or related slice is empty.
    1. POREST API for website which uses Facebook for authentication
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USOlivier Lance
    1. USOlivier Lance
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COThank you for your reply! I had thought about most of what you said but the main concern I had with using the FB iOS SDK and then sending the Facebook User ID was that wouldn't it be easy to send any ID you want to your API endpoint and claim to be another user? This is where I usually end up getting stuck..
      singulars
      1. PO
      1. USAdam
    2. COIndeed! That was stupid of me no to think about that... So the solution has to go through your own authentication server somehow...
      singulars
      1. PO
      1. USOlivier Lance
    3. COI've updated my answer with another solution idea... but just realized you had mentioned it in your original question! I can't see anything else at the moment...
      singulars
      1. PO
      1. USOlivier Lance
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload