Ruby-on-rails – OAuth flow, iPhone -> Rails -> Facebook

facebookoauth-2.0omniauthruby-on-rails

I'm building an app with both a web client and a iPhone client.

On the web client I authenticate users through Facebook with Omniauth, the user can then post actions on the app to Facebook. That works good.

I'm having some problem implementing the Auth flow from the iPhone application.

I've set up Doorkeeper in the rails app as an OAuth provider. Although I'm not sure how the authentication flow should be implemented.

I've come up with this:
The user can log in to Facebook in the iPhone and get a token. The idea is then to send the token, along with the Facebook uid to the rails app, store it, and authenticate the user with Omniauth. Once the user is authenticated generate a token with Doorkeeper and send it back to the iPhone app.

If it's the first time the user authenticates against the rails app, a new user will be created.

The user can then do actions against a JSON-api and the rails app will take care of the Facebook integration since the Facebook token is stored on the user record.

The application will also span over several domains so I'll need to have multiple Doorkeeper applications registered to provide different callback uri's.

Does this seem like a viable solution?
Is it secure?
Is there alternative flows / approaches?

Thanks.

Best Answer

The solution I went with is summarized as followed:

Client starts oath flow w/ Facebook (using login button etc)
Client gets auth token and posts back to server
Server looks up user via FB API call w/ token
Server does lookup/create of user based on FB id
User is logged in if a user with FB id association lookup is successful

I have a diagram and more detail here: http://www.eggie5.com/57-ios-rails-oauth-flow

Related Solutions

Ruby-on-rails – Rails: How to rename a database column in a Ruby on Rails migration

rename_column :table, :old_column, :new_column

You'll probably want to create a separate migration to do this. (Rename FixColumnName as you will.):

script/generate migration FixColumnName
# creates  db/migrate/xxxxxxxxxx_fix_column_name.rb

Then edit the migration to do your will:

# db/migrate/xxxxxxxxxx_fix_column_name.rb
class FixColumnName < ActiveRecord::Migration
  def self.up
    rename_column :table_name, :old_column, :new_column
  end

  def self.down
    # rename back if you need or do something else or do nothing
  end
end

For Rails 3.1 use:

While, the up and down methods still apply, Rails 3.1 receives a change method that "knows how to migrate your database and reverse it when the migration is rolled back without the need to write a separate down method".

See "Active Record Migrations" for more information.

rails g migration FixColumnName

class FixColumnName < ActiveRecord::Migration
  def change
    rename_column :table_name, :old_column, :new_column
  end
end

If you happen to have a whole bunch of columns to rename, or something that would have required repeating the table name over and over again:

rename_column :table_name, :old_column1, :new_column1
rename_column :table_name, :old_column2, :new_column2
...

You could use change_table to keep things a little neater:

class FixColumnNames < ActiveRecord::Migration
  def change
    change_table :table_name do |t|
      t.rename :old_column1, :new_column1
      t.rename :old_column2, :new_column2
      ...
    end
  end
end

Then just db:migrate as usual or however you go about your business.

For Rails 4:

While creating a Migration for renaming a column, Rails 4 generates a change method instead of up and down as mentioned in the above section. The generated change method is:

$ > rails g migration ChangeColumnName

which will create a migration file similar to:

class ChangeColumnName < ActiveRecord::Migration
  def change
    rename_column :table_name, :old_column, :new_column
  end
end

Ios – Design for Facebook authentication in an iOS app that also accesses a secured web service

I just dealt with this myself, and here's the part that bit me:

In your step 5... It's possible for a user to register for an account with you entirely separate from their Facebook ID, right? Then some other time they log in with Facebook.... And you just created them a second account and lost their first one.

There needs to be a way to be logged in to your web service, then log in to facebook, and capture the association between the facebook ID and the local account.

Apart from that, your plan sounds solid.

Update: Facebook has added a doc outlining such a scenario HERE

Best Answer

Related Solutions

Ruby-on-rails – Rails: How to rename a database column in a Ruby on Rails migration

Ios – Design for Facebook authentication in an iOS app that also accesses a secured web service

Related Topic