How to authenticate a user in an android app that uses Facebook login

Asked

Viewed 5,680 times

4

I’m creating an Android app where the user will have to register to have access to the application content (a login). For this, I use by default the famous Facebook Login. When the user logs through the Facebook button, I call my REST service that will register it in the remote database. That’s where my doubts arise:

  • In my remote database, I currently have the fields username, email and password. Since I’m using Facebook Login (Oauth), what would be the correct/expected/default way to do this?

  • Even using facebook login, it is good practice after successful Facebook login I call an Activity for the user to fill username and senha? Does it make sense? Or as the facebook login has already done the hard part of authenticating the user, I just need to have the field email in my database?

I’m a little lost on that and I’d like some guidance from you.

android facebook oauth2
  • 1

    There are 4 votes to close your question as "mostly based on opinions". I disagree, because in my opinion your questions are punctual doubts about the behavior of the facebook API and how to proceed with it. However, I agree that the original wording of the question could be improved, because the way it was, it even invited some reader to answer opinionated, although it is not the purpose. I edited the question to solve this and avoid closing.

2 answers

4


Hello,

inserir a descrição da imagem aqui

I’m setting up a database similar to what you want, the only difference is that in my application, the user will be able to log in both by Facebook, by Google or by my app’s own authentication system, and if the accounts (Facebook, Google, my App) belong to the same owner (detected via email), so they will have the same single user in the application. I am modeling the database to support, regardless of how many authentication means I will use.

In my case, a same user can have 2 accounts, ex: Facebook, Google. Or even 3 accounts, ex: Facebook, Google, My App.

Explaining how it works: Each user "user" can have one or more "Identity", "Identity" is a connection medium used by the user. In the "Identity" table, there is the "user_id" column that points to the user, the "Adapter" column indicates which medium is used (facebook,google,meu_app), and in "hash", the user ID is stored that is returned by Facebook or Google when using their Apis. In case it is an access by the login system of your application (meu_app), then the hash will store the password that it registered, encrypted with bcrypt, in my case.

At the time of login, you must purchase the access email, either by your application (inserted by your login system), or by Facebook or Google, their own API returns the email as well. So, in the login logic of your REST service, you should check if this email already exists in the "user" table, because if it is, it means that the user already exists, right? In this case you will get the ID of this user will check if there is also an "Identity" for the used connection medium. For this check if the "Adapter" matches, if it matches well, check that the "hash" also matches, if it matches, cool! It means that the user already has an account, and has already logged in using that medium. If you do not have this "Identity", then you must register. The same is true if the user does not exist, then you will have to register both the user and the "Identity itself".

Editing: I talked and talked and I don’t think I answered your main questions. So here goes:

For the first question, I think what I wrote above answers. I put an image too.

For the second question, I see no need to make the user fill in username and password, in fact it does not make sense, considering that if the user chose to login through Facebook, it is because he does not want to keep creating username and password. In addition, this whole login process is done in a secure Facebook environment, the API takes care of all this, you only need to take care of the part of storing the user in the BD if the connection is successful. What might be interesting to do, is a step to finalize the registration, if you want to know some additional information that is not returned by Facebook.

Any questions or suggestions, I’ll be following!

  • Thanks Yosh. Great explanation and great logic. Your material gives a lot of my doubts. Thanks!

  • Any questions regarding the implementation on Android, I did the implementation of Google and Facebook yesterday in an application of my startup, so the idea is fresh in my mind, hehe. But I’m glad that the answer has solved a lot of your doubts, I had negative in this answer, I still do not know why, all my implementation was made based on various research, several "Best Response" of Stackoverflow international, and is working cool on my app.

  • Since you gave me this opening, one question I have is about REST authorization. In this case, how to authenticate it in the Client that consumes the resource (the Android app). Do you use BASIC or Digest? When your reply is negative, I believe that someone has no intention of your idea - if they have no intention of it, since it is very clear and well explained.

  • Actually the correct term would be authorization, right? so that only users registered in my app can consume my webservice

  • Exactly, "authorization" is the correct term for what you want to refer to. I’m not using either Basic or Digest. I’m using Token-based authorization. I know developers who got along very well (the startup made millions), their application used this authorization method, and it worked (works) very well. I believe that in the simplicity/security relationship, it stands out.

  • Basic and Digest are easy to implement, but their security is less, they are older forms of authentication. Digest, which is more secure than Basic, applies an MD5 Encrypt hash, but this form of encryption is already possible to break it by brute force (password breaking method), especially if it is an easy password. Apart from them, there’s the one I’m using, the "Token-based Authorization". Oauth is also great, but the implementation is very complex. And HMAC, used by Amazon, one of the latest forms of authentication, is complex, maybe no more than Oauth, but is very safe.

  • Hmm, intendi. You would know indicate me a legal tutorial of authorization based on Token?

  • Look, I always take care of tutorials in English, stackoverflow is wonderful, but most of the time I only find what I want in English, if that’s okay, here’s the link: http://stackoverflow.com/questions/29147654/how-should-i-implement-token-based-authentication-to-a-set-of-web-Apis-in-a-se

  • Great! Thanks again Yosh

Show 4 more comments

0

THE BASICS FOR AN IMPLEMENTATION:

1 - Abra res/values/strings.xml

2 - Add a new string with the name facebook_app_id and put your id on it.

3 - Abra Androidmanifest.xml and add that:

<uses-permission android:name="android.permission.INTERNET"/>

4 - Add a meta-data element to the application:

<application android:label="@string/app_name" ...>
    ...
    <meta-data android:name="com.facebook.sdk.ApplicationId" android:value="@string/facebook_app_id"/>
    ...
</application>

5 - To use Facebook Login or Share, just add Facebookactivity to your manifest:

<activity android:name="com.facebook.FacebookActivity"
          android:configChanges=
                 "keyboard|keyboardHidden|screenLayout|screenSize|orientation"
          android:theme="@android:style/Theme.Translucent.NoTitleBar"
          android:label="@string/app_name" />

ANSWERING YOUR QUESTIONS:

To interact with Mysql database, we need to build an API first. The job of the API is to make the client’s request, interact with database and finally give the answer back to the client.

methods GET / POST Interacting with database by entering / data search. Finally will answer back in JSON format

inserir a descrição da imagem aqui

Tutorial

Source

Browser other questions tagged android facebook oauth2

You are not signed in. Login or sign up in order to post.