When trying to find an authentication system to add a social login to a web service, I have a few questions about what I should use. My requirements:
- Safe, obviously.
- Allow users to sign in with at least Google and Facebook, ideally with others like Twitter and LinkedIn.
- Be able to authenticate users in the internal service.
- Users will access the server service from a mobile application or web application.
OpenID Connect sounds good, but I understand that Facebook does not support it.
OAuth2 provides a solution using what is sometimes called backflow. This seems good for a web application, but I do not like that it seems that an attacker could potentially collect tokens from another application and use them to impersonate the user. I understand that this is especially a problem with Client / Implicit Flow.
Is there a way to protect a client’s secret in a mobile application? In particular, can I implement something in a mobile application that allows me to verify that my service was actually the intended audience for any tokens before accepting them?
This also raises a second question about the secrecy of the client / client identifier:
The client will select the user ID or e-mail address from the authorization server and send it to the source code as an identification tool, but to do this, check it. To this end, I want to know what else should I send to the background? Access token? Do I use the same client identifier and client secrecy from the authorization server on both the client and the internal server to allow the internal document to verify the access token?
- Is there another way?
- Should I just implement both Openid Connect and Facebook Connect and name the correct one for each user?
- Would this help in solving the problems?
source share