Search code examples
google-app-enginegofacebook-logingoogle-signingoogle-identity-toolkit

How to allow mobile apps to login with Facebook and Google to access web service on GAE?

This is in relation to my other question about the need to create a Facebook app.

I've been reading a lot about how to best approach login for mobile apps users (iOS and Android) that access my web service running on Google App Engine. I'm still not clear how to best do it as I would like to offer login with both Google and Facebook. The app and the web service does nothing with Facebook or Google other than I would like to piggyback on their login.

Having only login with Google for GAE is very easy and the same goes for using OpenIDConnect. Facebook unfortunately does not support this.

Reading an old question here on SO where someone wanted to do the same as I it looks like the app should do Facebook Login and then get a token that it passes to my backend which needs to be validated by contacting Facebook. Is this how to do it today?

I also found Google Identity Toolkit, which seem to be what I need. However, I do not have a website or just apps. I would need to have the apps do the Facebook login and somehow provide my web service with something so it can validate the login info.

Later on an app user should be able to log in using randomly Facebook, Google and my custom username/password. The app and the web service should know the user is logged in and authorize it to access the REST API.

How do I accomplish this? BTW, I'm using Go on GAE.

I would really appreciate if someone could explain if there are several options how to do this, pros and cons, and provide an overview of the best approach and what needs to be done.

Many thanks for any help with this!

UPDATE

OK, thanks a lot everyone for the help and pointers. I have successfully run the quickstart sample app for iOS for my GAE backend. Basically, created a Facebook app and permissions credentials on my web service on GAE so that the sample iOS app can log in.

A bit of a gap still before I have an authenticated user in the datastore and can authorize successive API calls.

Main open questions at this point:

  1. how to get the gtoken in the iOS app after successful Facebook or Google login?
  2. should I explicitly call an API on my web service to pass in the gtoken or is this somehow automatic with Gitkit API enabled?

Thanks for any help!

UPDATE

To answer #1 and #2 myself, there's a "successful sign-in url" that can be given in the app engine config so the app knows where to call with the gtoken. Then after that it's like explained in the answers.

Solution

  • Looks like you have an app and a backend on GAE. If you are using google identity toolkit, it will allow you to signin with Facebook, Google, and email/password.

    When user successfully signs in to your app using identity toolkit, your server should receive a gtoken. You have two options here:

    1. Pass the gtoken to your app and save it there. When your app makes API calls to your backend, you app should attach the gtoken to every request. Your backend should verify the gtoken(https://developers.google.com/identity/toolkit/web/required-endpoints) for every API that needs authorization.
    2. Verify the gtoken, generate a token that your backend can recognize/identify the user. Then pass the token to your app and everything else is the same as option 1.

    If you do not want to use identity toolkit, you can implement facebook login on your app/backend and use facebook token to communicate between your app and backend.

    Whatever your decision is, apps that use your API should pass you something that your backend can recognize/authorize the user.