Register users in mobile platforms
257 views
Skip to first unread message
Fernando Arconada
Jul 8, 2014, 10:47:06 AM7/8/14
to resting-wi...@googlegroups.com
Hi
This question is not REST specific.
Having a REST backend and Phonegap app, how do you use to register your mobile users?
a) Register via API, uhmmm is it secure? It could be dangerous if it's scriptable
b) HWI bundle to able to login with Facebook, Gmail.... but how the app knows your credentials? OAUTH? is my OAUTH Server necessary? and with WSSE?
What's your best practice?
cheers
Michał Pipa
Jul 8, 2014, 12:01:53 PM7/8/14
to Fernando Arconada, resting-wi...@googlegroups.com
On Tue, Jul 8, 2014 at 4:47 PM, Fernando Arconada
<fernando...@gmail.com> wrote:
> Having a REST backend and Phonegap app, how do you use to register your
> mobile users?
> a) Register via API, uhmmm is it secure? It could be dangerous if it's
> scriptable
I use OAuth in this case. First you have to create user. So make a
<fernando...@gmail.com> wrote:
> Having a REST backend and Phonegap app, how do you use to register your
> mobile users?
> a) Register via API, uhmmm is it secure? It could be dangerous if it's
> scriptable
POST request to "/users" and use OAuth client credentials grant type.
It is secure, because you need client credentials.
Next your user is created, so you can generate access token using
resource owner password credentials grant type and you receive access
token as a result. You can use this type of grant, because you own
your mobile app, so it is trusted.
Now you have access token and you can make API requests.
> b) HWI bundle to able to login with Facebook, Gmail.... but how the app
> knows your credentials? OAUTH? is my OAUTH Server necessary? and with WSSE?
First you have to register user. So you generate OAuth access token on
mobile app and send it to your API. Because users is not created yet,
use client credentials grant type. On API side use this token to fetch
user credentials from third-party service (Facebook, LinkedIn, etc.)
and create user in your database using this credentials (facebook_id
user property for example).
When you want to log in, you have to generate access token in your
OAuth server. So first generate third-party access token on mobile app
("Log in with Facebook") and than use it to generate access token in
your OAuth server. So on API side use third-party access token again
to fetch user credentials form third-party service and than find user
with those credentials in your database. If they match, then you've
found your user and you can generate access token for him. This is not
possible in FOSOAuthServerBundle, so I've created my own controller
which does this.
If you have existing user and you want to be able to login with
third-party credentials, again generate third-party access token on
mobile ("Connect with Facebook") and add third party credentials to
your user (facebook_is property for example). You will be able to log
in using the same flow as above.
Stepan Anchugov
Jul 8, 2014, 12:08:01 PM7/8/14
to resting-wi...@googlegroups.com
Registering via API does not seem like anything bad to me: it's exactly the same signup process as on the web. The same data (username/email and password) is passed, the same data is returned. The only difference is the transport and/or encoding.
What do you mean by "scriptable" then?
Michał Pipa
Jul 8, 2014, 2:41:37 PM7/8/14
to resting-wi...@googlegroups.com
On Tue, Jul 8, 2014 at 6:08 PM, Stepan Anchugov <kix...@gmail.com> wrote:
> What do you mean by "scriptable" then?
As I understand it, it is easy to create script that creates users
> What do you mean by "scriptable" then?
automatically. On the web you solve this problems with captcha. On web
API you use client credentials.
Fernando Arconada
Jul 8, 2014, 3:21:34 PM7/8/14
to resting-wi...@googlegroups.com, fernando...@gmail.com
You cant trust your mobile app for the same reason that you cant trust in the browser.
If you have a secret API key in the phone it could be revealed
Fernando Arconada
Jul 8, 2014, 3:34:36 PM7/8/14
to resting-wi...@googlegroups.com
My approach
HWI bundle -> login with facebook, gmail etc with an inAppBrowser, --> create the user and generate a random password -> redirect to a page that display the user profile (included the password) in a JSON -> then the app has the password and could use it with WSSE
with this:
a) I dont need an oauth server cause I only need authentication
b) WSSE is a very simple way
c) the app only knows the user data, you dont need an API key
d) totally stateless
Michał Pipa
Jul 8, 2014, 6:21:32 PM7/8/14
to resting-wi...@googlegroups.com
On Tue, Jul 8, 2014 at 9:21 PM, Fernando Arconada
<fernando...@gmail.com> wrote:
> You cant trust your mobile app for the same reason that you cant trust in
> the browser.
> If you have a secret API key in the phone it could be revealed
Yes, it could be revealed.
<fernando...@gmail.com> wrote:
> You cant trust your mobile app for the same reason that you cant trust in
> the browser.
> If you have a secret API key in the phone it could be revealed
But, what I meant, is that user can trust that mobile app won't steal
his password.
Di majo
May 8, 2024, 12:29:15 PM5/8/24
to RESTing with Symfony
MT103/202 DIRECT WIRE TRANSFER
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER
Thanks.
NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.
DM ME ON WHATSAPP
+44 7529 555638
PAYPAL TRANSFER
CASHAPP TRANSFER
ZELLE TRANSFER
LOAN DEAL
TRANSFER WISE
WESTERN UNION TRANSFER
BITCOIN FLASHING
BANK ACCOUNT LOADING/FLASHING
IBAN TO IBAN TRANSFER
MONEYGRAM TRANSFER
IPIP/DTC
SLBC PROVIDER
CREDIT CARD TOP UP
DUMPS/ PINS
SEPA TRANSFER
WIRE TRANSFER
BITCOIN TOP UP
GLOBALPAY INC US
SKRILL USA
UNIONPAY RECEIVER
Thanks.
NOTE; ONLY SERIOUS / RELIABLE RECEIVERS CAN CONTACT.
DM ME ON WHATSAPP
+44 7529 555638
Reply all
Reply to author
Forward
0 new messages