Authentication between Android app and web service + facebook login

7
votes

The only login option in my android application is login via Facebook. I would like to use Web service (ASMX) and on each request the server must validate that the user is authenticated via facebook. I found a solution:

1) Authenticate user to Facebook from Android application

2) Get the FB auth token to the android app

3) Forward the authentication token & facebook UID from Android to web server

4) On web server, make Facebook API call with the submitted token.

If the Facebook API call from web server returns valid authentication, and the user id is equal to the one submitted by Android application, your server can trust the id (& you can be sure that the Android authentication real)

Link

My questions are:

  1. Do I have to send the facebook user id and token each time when I send request to the web service? Or use a cookie (if that is possible)
  2. Do I have to register the web service as a facebook application? I found this: C# Facebook SDK Getting Started
1
androidfacebookweb-services

1 Answers

5
votes

Your solution looks good. Actually, the only thing Android client needs to pass to web service is authentication token. With that authentication token you can do anything, of course with the permissions user granted. So, the Android client must ask user for the permissions your web service will use.

For your 2 questions:

  1. No. You should send FB authentication token one time only. After web server can retrieve user's info from FB, you can save these info to DB (within a simple User model) and then create session with your own authentication engine (cookies, API token, etc.)

  2. No. You don't need to register the web service as a FB app. As I mentioned above, with FB authentication token you can do many things. You can also see the Facebook Graph API