When the resource owner (user) is authenticated, the userId (and other related data) is returned in the response, together with the access token. Now I'm using local userId.ġ) When the user wants to log in using a third party access such as Facebook or Google, then the client requests an access token with Javascript to the auth server of this party. If a user would have multiple third party accounts, and each account uses a different email address, then the email address is not a valid identifier. Please note that I am creating a Javascript application using Backbone.Įdit: I changed the workflow for the login. How can I safely store a token in my back end, after the user The problem however, is that the back end cannot check if the token received from the client is a valid Facebook access token (this is a Javascript client application, heavily relying on Ajax for all server communication).Įven though I can write Javascript to only send the access token to the back end on successful authentication with the FB server, this process is not reliable as the Javascript is not protected. This way, every RESTful request to the back end could be checked against this token.
So I thought about using the access token that I receive from Facebook to store it in my back end, if the user wants to log in using Facebook. What happens is that when using the standard login on my website (email + password), this token gets generated on the server by my own application and is then sent to the front end where it is stored (all transactions happen over https). The problem I have is that I want to implement a RESTful back end, where the user needs to authenticate on every request for accessing a back end resource, using a server generated token. When implementing Facebook login using oAuth2 (the Javascript version), I receive an access token back from the Facebook auth server.
0 kommentar(er)
