RESTful webservice with auth for mobile application
I have developed many stateless RESTful webservices for a mobile application in Java and they are working very well.
For example:
Now, I have to extend these services because I have to send different data back to the mobile for every user. So I need to know on the server side which user try to get or set information. And I have to prevent the serve of unauthorized users.
There are two different way how user can login into the mobile application:
- log in with facebook account
- log in with an application account
I need to develop two login and a logout services because the users who use the mobile application have to login into the application.
I read lots of article about auth and RESTful and OAuth.
I think I have to develop two login services with two imput parameters: username and password.
For example:
- localLogin(String username, String password) -> token
- facebookLogin(String username, String password) -> token
These logon services have to generate a same token and send it back to the mobile application in the http header. And after the login process the mobile client has a token. And the client has to send this token to the server when it makes a RESTful server call.
What do you think? Is my idea good?
If it is, could you help me how can I start to develop this in Java?
If it is not, could you tell me the good way?
You do not need 2 log in procedures. Just use the Facebook SDK!!
i) In your app would be a login with facebook button.
ii) User clicks on it and is then redirected to the facebook login page, where the user enters his credentials and facebook returns a token to you. You do not have to worry about the user's facebook credentials or storing them anywhere! Facebook will handle that for you. Consider the FB login part as black box to your app - you simply make a FB SDK's login call and it will do some processes and give back a access token to your app.
iii) Now, you can exchange the access token for the user's profile information. Enter this profile info to your database - that will ensure authenticated call.
Once you have verified that the user is logged on you can do whatever you want.