Mobile app version of vmapp.org
Login or Join
Cofer257

: Requiring authorisation on multiple devices In creating a sort of "remote control" site, I'm wondering what the best way for authorisation is going to be. The simplest example would be: User

@Cofer257

Posted in: #Authentication #Mobile #Openid #WebServices

In creating a sort of "remote control" site, I'm wondering what the best way for authorisation is going to be.

The simplest example would be: User logs in on desktop - page 1 is displayed (controlled from mobile / page 2) User logs in on mobile - page 2 is displayed and controls page 1.

My initial thought is to use OAuth, as this saves me time in setting up the security side of things. I'm just wondering if there is going to be a conflict in the auth token being used twice.

Eventually the site will be moved to an app form, but I would like to get the site up first as a sort of test case.

Is this possible? Or is the mobile version going to have to be an app right out of the gate?

Any and all help is greatly appreciated. Thanks.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Cofer257

1 Comments

Sorted by latest first Latest Oldest Best

 

@Megan663

If you implement Oauth, you can't use authorization tokens twice.

The correct way to implement it would be to have the person log in using Oauth from each device. Each time they log in they would get a different set of authorization tokens. Then the Oauth server would give you a user id that you can store in your database to link the two device sessions together. That Id would be the same both times.

Here is how Oauth login might work using Facebook:


Create an "app" on Facebook which will give you a client id and client secret: developers.facebook.com/ Redirect the user to this url: www.facebook.com/dialog/oauth?client_id=MY_CLIENT_ID_FROM_FB&response_type=code&state=RANDOM_STRING_GENERATED_BY_ME&scope=public_profile,email&redirect_uri=http://mysite.example.com/login.php Facebook verifies the user and redirects them to: mysite.example.com/login.php?code=RANDOM_STRING_GENERATED_BY_FACEBOOK Your server requests this URL from Facebook: graph.facebook.com/oauth/access_token?code=RANDOM_STRING_GENERATED_BY_FACEBOOK&client_id=MY_CLIENT_ID_FROM_FB&client_secret=MY_CLIENT_SECRET_FROM_FB&redirect_uri=http://mysite.example.com/login.php&grant_type=authorization_code Facebook will send a response in name value format that contains an access_token and a state which you should verify is the same random string that you sent earlier.
Your server requests this URL from Facebook: graph.facebook.com/me?access_token=ACCESS_TOKEN_FROM_FB Facebook will send a response encoded in JSON that contains information about the user including their email address and their facebook id.


When the user logs in from on a device, these steps need to be performed for that login. Then you have a Facebook id with which you can link the device sessions.

You could choose a different Oauth provider and the steps would be similar.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme