All geek questions in one place

Maintaining a user session (after Facebook O-Auth, to enter the server)

I am writing a mobile application using O-Auth "connect with Facebook" to:

1) Let Facebook deal with the authentication 2) Not force my users to register to another website 3) Get Facebook information

I implemented a Facebook server login (in JAVA):

https://developers.facebook.com/docs/howtos/login/server-side-login/

I do not understand how I can maintain a user session when a user connected to-facebook.

Here is a flow from end to end, please correct me if I am wrong.

 1) The user logs into my server (Android APP using WebView) 2) The server redirect the user to Facebook (with client_id, redirect_url, state and permissions) 3) The user is now facing Facebook login dialog. 3.1) If the user deny: Facebook calls the redirect_url and notify the server that there was an error. (Flow Ends here) 3.2) If the user accept: Facebook calls the redirect_url (my server) with the state i've set (for CSRF protection) and a code. 4) The server contacts Facebook and send it the app_id, redirect_url, client_secret and code and in return, facebook calls the redirect_url with a valid token. This token allows the server to issue facebook API calls on behalf of the user.

So far, everything is working fine. Now for the main question - Session Management.

Now that I have received the token, I need to find out which user it belongs to, so I can grab data from my database or create a new record (in the case of a new user).

1) What identifier should I use to identify the user on my db server? (Do I need to call the Facebook API to extract basic information and from this extract the email address and / or unique identifier?

2) Once I received this unique identifier, how do I contact the user again? In step 2, the server redirected it to Facebook, which means that it opened a new connection to Facebook, and it is no longer connected to the server. How do I set it up as a cookie now that it’s gone? <- * This part is confusing to me. *

3) At what point do I need to set the SESSION identifier (cookie) in the user’s request, so the next time he contacts me, I will find out who it is.

I think stack overflows are the best example to illustrate my problem. I clicked the "Connect with facebook" button, and suddenly I became a user when the stack overflowed without registering. How does stack overflow know how to pull out the questions that I already asked? How did that define me? And at what point in the chain that I described did she set a cookie at my request?

thank you for your time

+4
source share
1 answer

  • You have encountered one of the major misunderstandings regarding OAuth: OAuth is authorization . The user gives you (the client) permission to access data on his behalf. If you want to authenticate a user, some providers allow you to access a unique id that allows you to distinguish between users. So yes, if you want to identify the user, you must request his unique identifier .

  • There are several ways to do this. All of these are associated with creating a unique session identifier in which you save until the user is redirected. As soon as the user returns, he will return your id . If you see that you issued and saved this id , you will remove the id and you know which user you are talking to. You can either save this id in a cookie or pass it as part of the state parameter.

  • Anytime before a redirect will be possible. If you want to know which user you are talking to at any time, just do it the first time he calls you.

0
source

Source: https://habr.com/ru/post/1443520/

More articles:


All Articles