Ι'm working on backend of mobile app, building restful api using asp.net mvc 4 web api. app run on ios , android. users allowed login facebook account, , when logged in, able use whole functionality.
i don't have experience mobile apps , that's more of design question: of 2 scenarios (or maybe third one?) seems better design should responsible facebook authentication:
- the mobile client responsible. without accessing backend, speaks directly facebook, allowing user enter credentials , when gets token facebook, hits backend first time, passing token in every request.
- the backend api responsible. mobile client tries access resource it. backend gets no authentication token client, redirects facebook login. user enters credentials , facebook replies backend passing token. then, backend willing answer client response desired resource.
of course, 2nd scenario means backend should use package dotnetopenauth handle oauth, while in 1st scenario, these happen in mobile client.
i think first approach more correct emulates stateless nature of http better (it equivalent traditional http auth method basic auth). sending facebook oauth token web api on every call. otherwise, server needs keep state somehow authenticated user using mechanism cookies example, not correct in first place. use server side authentication when server needs consume other services require authentication, case here.
Comments
Post a Comment