0

I have a website using ASP.NET Core, which uses MS Identity and external login from Facebook.

I have a Xamarin app that logs to this backend via login/password using Xamarin.Auth. I am wondering which is the best way to allow external login to Facebook from the app?

  • Should I create a separate Facebook app for Android or should I use the same as the website?
  • What would be the flow? I am thinking of something like:
    • Using the Facebook sdk to log in
    • Pass the token to the server
    • Check from server side if the email exists or the FB user id exists
      • If yes check whether the app is registered using Facebook and if yes login
      • If no create an account

But until now I haven't stored the user's Facebook Id (only the email, that the user can also modify).

Jean
  • 4,911
  • 3
  • 29
  • 50

1 Answers1

0

Xamarin.Auth is client library and currently has no server side implementations.

So, your server is Protected Resource and Facebook will be Authorisation Server. After you obtain your tokens (access_token and refresh_token) you would try to access Protected Resource presenting access_token as a credential. Protected Resource will perform token introspection (this could be separate service-server) which will decode the token, lookup username (mail) and check expiration of the token. This is not specified in draft (RFC) so check how FB does token introspection.

Few links for more info:

How to validate an OAuth 2.0 access token for a resource server?

http://blog.api-security.org/2014/10/oauth-20-token-introspection-profile.html

https://www.quora.com/In-OAuth-2-0-how-do-resource-servers-assert-a-token-issued-by-an-authorization-server

https://connect2id.com/products/server/docs/api/token-introspection

https://leastprivilege.com/2015/12/27/oauth-2-0-token-introspection-middleware-for-asp-net-5/

moljac
  • 946
  • 9
  • 12