Api Authentication with Bell about bell HOT 8 CLOSED

I have a hard time understanding your question and it has been 19 days. But would reading https://developers.facebook.com/docs/facebook-login/access-tokens#architecture help you?

The backend then authenticates (with Bell) that access token and would then return its own token from its own authentication strategy.

But, bell does not generate tokens...

So I only need bell as a authentication strategy that is taking an access_token from the request and authenticates it against my third party provider (facebook) and also gives me the user information and then I can do in my actual route handler whatever I want.

So if you have a long term token, why don't you just go to the graph endpoint of facebook and retrieve your data (or the debug endpoint). If it's not a valid token, it will refuse the request...

from bell.

Hi,

in the meantime I have implemented it myself. I know that Bell does not generate tokens, I would have done that manually. What I wanted to do is authenticate an request with a facebook token against the facebook api. So the "login" route would have had an authentication strategy that just checks if the provided access token is a valid facebook token and then fetches the user for it. I think that this is already part of bell in theory, but somehow not exposed, because most flows are browser based with redirects.

from bell.

I believe you did it correctly. Bell does not have to cover your entire use case. In this case, OAuth2, to the best of my knowledge, does not specify anything specifically for it. Some standards have been built around it by adding something like token introspection but it's not there.

It only specifies 4 different ways of acquiring a token:

• Implicit flow is for untrusted clients (your browser)
• Authorization Code (which Bell uses) does indeed do it through redirects amongst others.
• Client Credentials and Resource Owner password credentials are for other use cases.

Then, there are refresh tokens which are optional but are used for a different purpose. Acquiring an access_token with less privileges or exchanging an expired token for a new one.

By the way, in one of my applications I use the implicit code flow with the facebook SDK, and then pass that token to my server and then exchange it to a long lived one and store that. Would be interesting to see what a Bell API would look like to help you do refresh and can it be within the scope of bell...

from bell.

@ldesplat would it be possible to use the Facebook SDK to retrieve the bearer token from Facebook, and then pass that onto Bell... which would then create a session on the server-side? The redirect strategy doesn't work as well for mobile, where it would be preferable to use the Facebook SDK for this instead.

from bell.

@bmcmahen next time just create a new issue please. It's so easy to ignore closed ones. You can always link to another issue within your post.

I do the same exact thing in one project. I actually don't use Bell at all, in that project, since I only manage facebook and use their sdk with implict auth. You just need to exchange that token for a long lived one (pass in the token plus your app's client id and secret and facebook gives you the long lived token). Facebook docs are misbehaving this morning but the link used to be https://developers.facebook.com/docs/facebook-login/access-tokens#extending .

Bell could have a facility for this but very few providers support that and the http call is trivial and I don't see how you can get it wrong security wise.

Then just use something like hapi-auth-cookie, your own version, or yar with some sugar on top.

from bell.

Thanks @ldesplat - I ended up implementing something similar, using hapi-auth-cookie on the server and verifying the iOS provided token using the Facebook graph api. Cheers, and thanks for the help.

from bell.

@KeKs0r thanks for your input. I'm new to hapijs and had the same question. Meanwhile I found this new package: https://github.com/yoitsro/hapi-access-token . Maybe we could all collaborate 👍

from bell.

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

from bell.