Login via Facebook into OpenAM using REST

1
votes

I am looking forward to integrate logging in users using Facebook's authentication. I have my app protected by OpenAM and the users are already registered there. I have my own login page and would not like to move this to OpenAM and retain it in my app. As of now, I am using REST calls to authenticate users in OpenAM. Now, I want to integrate login using Facebook. My idea of implementation is as following:

  1. User logs in using original credentials and is authenticated in OpenAM.
  2. User is asked to associate his/her Facebook account with the OpenAM account.
  3. User authenticates his/her Facebook account (https://www.facebook.com/dialog/oauth?app_id={app-id-as-created-in-fb-developers-console}&redirect_uri={my-rest-service}).
  4. This will return the code and that can be used to recheck against Facebook to ensure that the user was authenticated against my app and this is not a hacker intervention (http://graph.facebook.com/debug_token?%20input_token={code-returned-from-facebook}&access_token={my-app's-access-token}. The response will contain the app ID that can be verified against my App's ID. On success, I shall call OpenAM to associate the user in OpenAM with his/her Facebook credentials (Not sure what all to use here.)
  5. Next, whenever the user wants to login, he/she can use Facebook login where in the redirect URL would be my REST service and the code returned from Facebook can be rechecked from Facebook and then OpenAM will be called to authenticate.

My queries:

  1. I am not sure if this approach is feasible.
  2. How do I pair an existing user in OpenAM with the Facebook account?
  3. How do I authenticate the user in OpenAM after Facebook login, with the userID?
  4. Is the Facebook userID (numeric,returned from Facebook graph in JSON response), unique and permanent?
  5. I would also want to give the users an option to de-associate the existing Facebook account and associate a new one-how do I do this?

Apologies for asking too many questions, but I am new to OpenAM and OAuth and keen on following the approach I have mentioned above. Thank you.

1
springfacebookrestloginopenam

1 Answers

0
votes

As an aside, it will probably be much easier in the future if you delegate all of the login to OpenAM, and let it deal with local login and social. This will make it really easy to add more social providers.

If you want to keep your current architecture, you can create a new authentication chain in OpenAM that just has social (facebook) login. You should be able to redirect the user to that chain. Once the social login process is complete, you can have OpenAM redirect back to your application page.

To link local and social login you are going to have to offer some kind of account claiming in your application. After they do a social login you could ask them to link their local account by providing the username and password. You can call OpenAM's REST API to validate the credentials.

This kind of linking can be confusing for users - so sometimes it is better to treat them as separate accounts, or have a migration process for the user to migrate to social only.