We have a website, which uses social networks to logging in. Now we are building a mobile app for it. The question is - how we can perform secure login on the server side?
Now logging in mobile app is implemented. We receive uuid and auth_token on mobile, now we need to perform authentication of user on the server. We can't just use uuid because it is insecure, and we can't use auth_token because it changes over time.
Googling only brings me to such thing as "open webview and perform login" - which, i think, is a bad design, because user can't use system accounts and should enter credentials for those networks, where he is logged in already.
I am really confused. What would you recommend me to do?
So, I find solution by myself.
To perform this follow 3 steps:
1) Send auth_token and uid from a mobile application to a web-server 2) Perform request to a social network, asking uid of the user with that auth_token (for example, it will be /user/me request for facebook) 3) Check, that uid returned from a network equals to uid sent from mobile.
Third step is optional - it's enough of first two steps to check, that user with this token really exists.
When you will implement it, make sure that you send requests from mobile to server using https - because in this case it will be secure and you won't be banned by social networks ;)