Databases
StackOverflow2013
Postsdbo
POHowto secure a webservice using ONLY Facebook for authentication/authorizastion?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHowto secure a webservice using ONLY Facebook for authentication/authorizastion?
    primarykey
    data
    text
    <p><strong>Setup</strong></p> <pre><code>1. A LAMP web application that uses SOLELYFacebook for authent./author (i.e. NO credentials set/asked by the web app) 2. A smartphone app that uses ONLY Facebook for authent./author. 3. A web service provided by -1- for -2- to communicate. https, of course. 4. A client-side Javascript that uses the same web service (-3-) for asynchronous CRUD </code></pre> <p><strong>Use-Case:</strong></p> <pre><code>A. The user signs in to - 1 - and Facebook id is saved on server-side as well as a custom id. B. The user signs in to - 2 - and the same happens on client-side. C. The user enters data into - 2- which is stored locally. D. Now comes the tricky part: 2 must send the data to 1 via 3. E. Now even trickier: 4 must do the same. </code></pre> <p><strong>My problem:</strong></p> <p>My problem is to find a strategy to authenticate &amp; authorize communication in D &amp; E. It would be easy if the user was to enter credentials. These would be stored locally and he was the trigger. And he only! However, when using solely Facebook for auth/author., authent. NEVER occurs on client-side. Thus, as far as I understand, the server has to provide some kind of legitimization. This would be, for example, a key or a token. </p> <p><strong>My question:</strong> How is the client app -3- supposed to initially authenticate the user to the server (facebook id?)? How can I prevent someone from sending facebook id to the server service and, thus, getting access to the CRUD? Is some sort of an application key (like facebooks access token) sufficient?</p> <p>If so, what about -4- the Javascript in the browser? Where to store the application key? Wouldn't it be too easy to steal that token, use it for authentication to -1- and then get access to all data of a certain facebook user?</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. USTa Sas
    1. USTa Sas
    plurals
    1. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. POHowto secure a webservice using ONLY Facebook for authentication/authorizastion?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POHowto secure a webservice using ONLY Facebook for authentication/authorizastion?
      1. This table or related slice is empty.
      1. VTUpMod
    1. CORelated to http://stackoverflow.com/questions/4623974/design-for-facebook-authentication-in-an-ios-app-that-also-accesses-a-secured-we?rq=1
      singulars
      1. POHowto secure a webservice using ONLY Facebook for authentication/authorizastion?
      1. USBogdan Zurac
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload