2

I am going to build a mobile ( and web) application which will allow email/password registration along with social (facebook, google) registration. Native or web app will call REST webservices (secured by Spring OAuth2). Social login will be handled by native /web app. REST service will not have any clue if user is logged in. In case of email registartion, username/password will be passed to WS. Given the facts , what is the standard or good approach to secure REST services? Any experience with similar architecture?

Couple of ideas we are going through:

  1. At the begining when app is launched, pass device id to WS. WS will send push notification to device silently (using apple/google ) containing one authorization code. This code will be passed for OAuth2 authentication. But not sure how to handle web application here.
  2. Once user logs into social , obtain social id passoing token from social provider. Pass social access token and this id to WS. WS will validate the token against id making a call to the provider oauth service (e.g. https://graph.facebook.com/me?fields=id&access_token=XXX ).
Vadim Kotov
  • 8,084
  • 8
  • 48
  • 62
Mithun
  • 67
  • 1
  • 7
  • be careful with device id it is not guaranteed to always stay intact – mariubog Jan 16 '15 at 20:03
  • Maybe these will help: [this](http://stackoverflow.com/questions/3963877/creating-an-api-for-mobile-applications-authentication-and-authorization) and [this](http://stackoverflow.com/questions/4574868/securing-my-rest-api-with-oauth-while-still-allowing-authentication-via-third-pa) – FrAn Jan 16 '15 at 22:57
  • Thanks FrAn and user1289300. I have gone through the articles and few more articles on internet. Everyone has implemented own solutions and can't find a standardized , well documented solution. My basic problem is , user is authenticated on mobile device using social (facebook, google) and wants to access application REST service. But my application REST service does not have any clue if user is actually logged in. – Mithun Jan 19 '15 at 17:24

1 Answers1

0

Finally we decided to go with option#2 as it looks more robust and similar architecture has been used by many projects. We will pass social oauth token to REST service over secure HTTP.

Mithun
  • 67
  • 1
  • 7
  • Would you be able to share more details on how you have achieved this, we have exact same problem – zalis Feb 03 '17 at 03:38
  • It's been a long time since I posted that and I am sure technology has changed of course :) Are you using Spring Social ? I kind of deferring from what I learnt initially. Instead of using client side JS library for social logins, you can rather call Spring Social end-point. I have a readily available code but that's in Ionic + Node backend. I am pretty sure you can just do the same with Spring social. – Mithun Feb 04 '17 at 00:04
  • Ionic is exactly what I need. Ideally what I want is todo the OAuth2 dance on the app itself, and later once the access_token is received from facebook send it to my java server, where I guess spring social will validate this token and provide my user another access_token that can be used within my app – zalis Mar 23 '17 at 10:29