Monday, 15 March 2010

node.js - The "right" way to do oAuth from a mobile client -



node.js - The "right" way to do oAuth from a mobile client -

i building cross platform mobile application (using xamarian tools, monotouch / monodroid). trying work through authentication workflow , running stumbling block. have searched on clear reply , have yet find it.

here overview of current setup.

i have web site built in nodejs. utilize passport.js oauth login on web site. works great, users can login site using twitter or facebook.

now want extend same login functionality mobile clients.

i see 2 options

embed app id , app secret's in mobile clients , create direct oauth calls fb or twitter mobile app

proxy oauth calls through existing nodejs web server (keeping secret keys on server)

option 2 appears preferred way (as avoids having "ship" secret in mobile apps).

i have proxy approach working.

i open webview in mobile client , point @ http://mysever/auth/twitter this runs through existing passport.js code , redirects mobile webview on twitter login page. the user enters creds on twitter webpage on device. twitter calls oauth callback url (which nodejs web server). my server , twitter handle 4th handshake of obtaining user profile info (as understand it, key approach, server , twitter handle handshake, mobile client doesn't have or pass tokens during process)

here problem:

it lastly step stumps me. 1 time handshake finish on server have user info need on server , need send mobile client application

i can't figure out way in webview command grab response object , grab cookie, or header value (for instance) (this seems true android , ios). don't think platform specific. think trying webview widget in mobile platforms don't suport. makes me think missing obvious.

the thing have figured out have web server "redirect" mobile client browser false url has user info in querystring. myapp://info?userid=1234

then in mobile app can hijack url loading , grab url , info need. can stash userinfo, close webview command , move on native screen in mobile application , user userinfo in subsequent rest calls nodejs server means of identifying user.

this massively kludgy multiple reasons. biggest of url sent on wire unencrypted , has info in plain text.

there has improve way info web server mobile client?

or doing wrong?

the straightforward way implement oauth xamarin, both ios , android, using xamarin.auth. starter documentation client here. think should maintain securely , not have worry having utilize node server proxy.

you need provide application id part of calls, don't there many or security issues worry there.

i know going against have implemented, maybe help simplify things bit.

node.js oauth monotouch monodroid passport.js

No comments:

Post a Comment