iOS app using django and python-social-auth to get facebook oauth2 access token

[Mark Wright]

Hi,

I know questions on how to use django-rest-framework + django-oauth-toolkit + python-social-auth for an api consumed by a mobile app have been asked many times. I've read through many of them and I've read Kevin Brown's great answer to this SO question http://stackoverflow.com/questions/27051209/.... but I still have a question :). 

I'm adding facebook authorization to my iOS app. My api is created with django-rest-framework and uses django-oauth-toolkit's OAuth2Authentication. I don't want to use the iOS facebook SDK to handle the facebook oauth2 dance. I want my django app to be the facebook oauth2 client and get the facebook access token so it can use the facebook client secret during authorization and I can trust the access token I get back from facebook. I have it working but I'm hoping someone is willing to sanity check my implementation:

1. My iOS app opens a SafariViewController at social/login/facebook/

2. python-social-auth handles all the oauth2 authorization and creates/updates and associates the facebook access token with a django user

3. I added a pipeline function to the end of the default pipeline called generate_internal_oauth_tokens that generates the django-oauth-toolkit tokens and adds the access_token.id into the session

4. I set SOCIAL_AUTH_FACEBOOK_LOGIN_REDIRECT_URL = '/social/mobile_redirect/'

5. At the end of the pipeline python-social-auth redirects the browser to the /social/mobile_redirect/ view (which I created.) In that view I check the session for the access_token.id, fetch the access token, and then redirect again to my custom iOS url scheme appending the django-oauth-toolkit tokens to the url query string, e.g., myiosapp://?access_token=<access_token>&refresh_token<refresh_token>

6. My iOS app stores the tokens and uses them to communicate with my api

Does that seem sensible? Are there any security implications? 

I figured this was better than implementing an endpoint that converts a facebook token (received from the iOS app via the iOS facebook SDK) to an internal token because I can verify that the person initiating the request to social/login/facebook knows the facebook credentials.

Cheers,

Mark

[Alex Luis Arias]

Hello Mark, 

Did you ever get a response to this? I'm trying to implement something similar.

Would you be able to share the pipeline code you added? Any help would really be appreciated! 

I like your approach because having the frontend generate the FB token may allow a "fake" front end app to steal users FB login information. 

Alex

[Mark Wright]

Hi,

I didn't get a response but I'm using the approach.

I use JWT for my API tokens and a lib called django-rest-framework-jwt to help integrate JWT into django-rest-framework authentication. Consequently the pipeline function uses django-rest-framework-jwt specific code to generate the token. Here is the bones of the pipeline function:

from rest_framework_jwt.settings import api_settings

def generate_jwt_token(backend, user, response, *args, **kwargs):

    jwt_payload_handler = api_settings.JWT_PAYLOAD_HANDLER

    jwt_encode_handler = api_settings.JWT_ENCODE_HANDLER

    payload = jwt_payload_handler(user)

    access_token = jwt_encode_handler(payload)

    backend.strategy.session_set('access_token', access_token)

Hope that helps.

Regards,

Mark