What is the best way to login to the app via facebook and login to a Rest(spring boot) server?

Question

What is the best way to login to the app via facebook and login to a Rest(spring boot) server?

Asked 6 years, 8 months ago

Viewed 636 times

9

I’m creating an app with React Turn on where I log into facebook and also have information of this user, created after login, on a Rest server that I developed with spring boot.

As in the Rest server will not have password because the user has already logged in by facebook, what is the best way to authenticate the calls on the server?

1 answer

Browser other questions tagged spring-boot react-native

You are not signed in. Login or sign up in order to post.

by Oralista de Sistemas • **23,115** points · Answer 1 · 2017-10-27T18:52:42+00:00

If you integrate your application authentication with Facebook, and your application is not a Facebook-specific app, then you use the Oauth protocol.

There is a lot to talk about and study about this protocol, but for now you only need to know the following: when signing up on Facebook - or on Google, Microsoft, Yahoo! etc. - the user obtains an access token for the application that requested authentication. This token is informed by the client application to the server. Token is valid for a given time and only for the application that requested authentication.

The flow of Oauth looks like this (taken from this page):

Therefore, in order:

1 - Application asks the user to authenticate himself in an identity provider (in this case, Facebook);
2 - User says "My body, my body is ready. Redirect me!";

Between step 2 and step 3 that Caralivro authentication screen appears. Sometime here the user will be authenticated in Face.

3 - The result of step 2 is that the application receives a token. Your application now informs this token to Facebook;
4 - Facebook confirms that the token he received is the same one he gave to the user. From here you can consider the user authenticated for real.

If your application is web, served via HTTP, you can ignore steps 5 and 6. Otherwise, consider that the resource server is your HTTP server, and Application in the diagram is an application desktop or mobile.

In possession of this, just check if the user requests come with the correct token. Other security measures can be used, such as ensuring that tokens are short-lived, validating that a token always comes from the same IP within its lifetime etc. But these are subjects for other questions.