Facebook API Question posted in
The official documentation for the Facebook APIs can be found here.

Why would a backend need third-party authentication? – Facebook api

I am trying to implement Facebook authentication on my app. I noticed my API backend – Loopback has passport integration. I don’t understand what would be the purpose of this?

From what I understand the authentication happens on the client side. And the FB issued token should be passed to the backend for generating a session cookie / token to talk with my app’s API. So the backend should only be validating th FB user token, not actually authenticating the user.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I have managed to implement fb authentication in my app using passport and have a much better understanding than a couple of days ago.

    I was under the assumption that since the user has to enter the username and password at some point the authentication had to happen on the client side.

    It is still however possible for the server to handle the process. Instead of the client communicating app ids and access tokens with FB or another provider the server can do this on their behalf.

    Instead of the user seeing a popup which happens during client side authentication the server redirects the user to facebook (or another provider) and communicates the app id and secret. On successful login facebook communicates a authorization code which is exchangeable for a access_token directly to the app server and redirects the user back to another URL.

    Passport makes the above process easy to implement.

    To me this method seems more secure since the user never sees your app id or their own fb access_token. Also the token has much longer validity when issued via the server method instead of on the client side(60 days vs few hours).


  2. 0

    Passport gives a comprehensive set of strategies support authentication using a username and password. When you are managing multiple social networks login, this sure comes in handy.

    What loopback does is, it creates a UserIdendity model and connects it to a UserModel, thereby creating a User if he/she doesn’t exist.

    My View is server side authentication is more reliable than client side. Most social networks recommend server side authentication

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search