Hi,
Just so I understand a bit better.
So, you would be creating a new user, with username and email for instance (no password), and then associate the client_id from the external provider to that user.
On login, you want to use the client_id from the external provider to access/login the user.
Does that sound about right?
-dev
I don’t need even username and email. For facebook I pass Id and token, which I could validate on server side (see https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken )
Username and email can be optional fields to use
Hi,
For sake of discussion, do you need to actually use the manual login flow if you’re using the Facebook plugin?
I’ve been reading through this document https://developers.facebook.com/docs/facebook-login/multiple-providers
-dev
Hi, actually it’s not full login flow on server
I use Facebook plugin, so user just click “login using facebook” button. Then I just store some data, which associated with facebook account (so when user will login on another device he will get his data back).
Validating token on api side just guarantied that request from client coming from authorized user
Hi,
Do you get any type of permanent Facebook client ID, or is it only the access token?
If you get a permanent id, then we can associate that with a Coronium user record, so you would know that the client is valid.
I could then add another method of logging in the user using email and Facebook ID which you should be able to get back from the FB login.
If your app’s own custom login system uses an email address to uniquely identify each account, you should also ask for the person’s email address (using the email permission) during the Facebook Login flow. Read our guide to requesting permissions to find out how to do this.
Your thoughts?
-dev
Do you get any type of permanent Facebook client ID, or is it only the access token?
I registered an app on https://developers.facebook.com.
Then I used Facebook plugin to login on androide and get userId.
Then I use facebook.getAccessToken() and pass token+id to api
Then on api side I validate id+token pair (to be as secure as possible)
local urlFormat = "https://graph.facebook.com/debug\_token?input\_token=%s&access\_token=%s|%s" local url = string.format(urlFormat, params.token, FACEBOOK\_APP\_ID, FACEBOOK\_APP\_SECRET) local resp, err = core.network.getJson(url)
It works for now
I could then add another method of logging in the user using email and Facebook ID
Yes, I can request email permission.
But guide you linked says that if user registered on facebook using phone number email could be empty.
Hi,
Ah, did not catch that about phone number.
Ok, well as long as there is some type of immutable id from Facebook, then I think I can make this work. I’ll be exposing a couple new user module methods on the server-side.
I’ll be using the following fields in an “Oauth” table to associate to the Coronium user:
user_id (for relationship)
client_id (from FB or Google)
access_token (for whatever)
provider (FB or Google)
Are there any other fields that you think you would need?
I’ll start working on it now. And then I’ll send you preview build link for server download to test.
-dev
So this would be on the server-side and I can use it in my api? I still don’t want to write multiple client side calls for one operation.
Hi,
Yes, it will be on the server-side. Basically it provides another way to generate a user record, as well as, a “login” that will allow you to still have the Webmin stats.
-dev
Ok, so I’m interested in this (however my custom approach is almost finished)
Hi,
Whatever works best for you. Having an alternative user style while still having statistics is a good thing to have in any case.
-dev
Also I think OAuth table need access_token_expires_at column too (timestamp type).
Edit: wait, how can I work with timestamp in my lua code? I ended with bigint column, because it’s easy to take and compare with os.time()
Hi,
You can create a TIMESTAMP column type and use the core.mysql.timestamp() method: https://develephant.github.io/coronium-core-docs/server/modules/mysql/#timestamp
You can then use normal MySQL queries to work with them. But using os.time() can work too.
-dev
core.mysql.timestamp() gives me current timestamp?
How can I create timestamp from some date in UNIX format? (like core.mysql.timestamp(seconds) - this doesn’t work)
Hi,
I’ll add some additional methods, but in Lua:
UTC (which is what you should use for MySQL timestamps):
local d = os.date('!%F %T', 1516633468) print(d) -- 2018-01-22 15:04:28
-dev
Hi,
Quick question, are the FB access token expiry times in UNIX format by default?
-dev
Yes, response looks like :
{ "expires\_at": 1352419328, "user\_id": "1207059", //some other fields }Hi,
You’ve probably rolled your own solution by now, but the 2.4.0 release has a new Users API and OAuth API.
Take a look at the following links for more information regarding your use case:
https://develephant.github.io/coronium-core-docs/server/modules/users/api/
https://develephant.github.io/coronium-core-docs/server/modules/users/oauth/
https://develephant.github.io/coronium-core-docs/server/modules/users/oauthusers/
-dev
Yes, thats interesting.
However your example of logging via Facebook is not full, token validation is required to make sure that user is valid.
Validation is just simple call to facebook API, you can see examples how it was done in Parse server:
https://github.com/parse-community/parse-server/blob/5813fd0bf8350a97d529e5e608e7620b2b65fd0c/src/Adapters/Auth/facebook.js
https://github.com/parse-community/parse-server/blob/5813fd0bf8350a97d529e5e608e7620b2b65fd0c/src/Adapters/Auth/google.js
Interesting that you are also publisher of parse plugin on corona marketplace, didn’t notice it before 
Hi,
From your previous posts, I assumed you were wanting to check that yourself on the server-side. ;)
I will look at deeper integration in the near future.
-dev