I am trying to implement Facebook authentication on my app. I noticed my API backend – Loopback has passport integration. I don’t understand what would be the purpose of this?
From what I understand the authentication happens on the client side. And the FB issued token should be passed to the backend for generating a session cookie / token to talk with my app’s API. So the backend should only be validating th FB user token, not actually authenticating the user.
2
Answers
I have managed to implement fb authentication in my app using passport and have a much better understanding than a couple of days ago.
I was under the assumption that since the user has to enter the username and password at some point the authentication had to happen on the client side.
It is still however possible for the server to handle the process. Instead of the client communicating app ids and access tokens with FB or another provider the server can do this on their behalf.
Instead of the user seeing a popup which happens during client side authentication the server redirects the user to facebook (or another provider) and communicates the app id and secret. On successful login facebook communicates a authorization code which is exchangeable for a access_token directly to the app server and redirects the user back to another URL.
Passport makes the above process easy to implement.
To me this method seems more secure since the user never sees your app id or their own fb access_token. Also the token has much longer validity when issued via the server method instead of on the client side(60 days vs few hours).
Passport gives a comprehensive set of strategies support authentication using a username and password. When you are managing multiple social networks login, this sure comes in handy.
What loopback does is, it creates a
UserIdendity
model and connects it to aUserModel
, thereby creating aUser
if he/she doesn’t exist.My View is server side authentication is more reliable than client side. Most social networks recommend server side authentication