X
X

Login

Login if you already have an account

LOGIN

Register

Create a new account. join us!

REGISTER

Support

Need some help? Check out our forum.

FORUM
May 28, 2013 vprakash@miegoapps.com

NoServer Scriptable Authentication

Topics: ↓ Facebook and Twitter Authentication↓ Custom Authentication

In addition to standard username and password authentication, the FatFractal platform features a scriptable authentication system. New FatFractal applications come with scripts for Facebook and Twitter OAuth authentication, described first, followed by a description of the general ScriptAuth system.

Facebook and Twitter Authentication

Facebook and Twitter Authentication • ↓ Custom Authentication

App configuration

The App ID and App Secret are entered in your application’s Auth.js file, found in the ff-scripts directory. If your app scaffold doesn’t contain this file, it may be found here.

var auth = require('ffef/ScriptAuth');
// Twitter
var TWITTER = "TWITTER";
auth.setScribeApiClassName(TWITTER, "org.scribe.builder.api.TwitterApi");
auth.setScribeApiKey(TWITTER, "twitter_api_key");
auth.setScribeApiSecret(TWITTER, "twitter_api_secret");
// Facebook
var FACEBOOK = "FACEBOOK";
auth.setScribeApiClassName(FACEBOOK, "org.scribe.builder.api.FacebookApi");
auth.setScribeApiKey(FACEBOOK, "facebook_app_id");
auth.setScribeApiSecret(FACEBOOK, "facebook_app_secret");

To allow use of Twitter OAuth authentication, twitter_api_key and twitter_api_secret must be replaced with appropriate values for your Twitter application. Likewise, facebook_app_id and facebook_app_secret must be replaced for use of Facebook authentication.

Authorization URI

The first step in the OAuth authentication flow on FatFractal is to retrieve and authorization URI to be presented to the user. The FatFractal client SDKs provide methods to retrieve this:

iOS
FatFractal *ff = [[FatFractal alloc] initWithBaseUrl:baseUrl];
// Twitter
[ff setCallbackUri:@"x-twitter-ff://authorize"
forScriptAuthService:FF_SCRIPT_AUTH_SERVICE_TWITTER];
NSString *authUriTwitter = [ff authUriForScriptAuthService:FF_SCRIPT_AUTH_SERVICE_TWITTER];
// Facebook
[ff setCallbackUri:@"x-facebook-ff://authorize"
forScriptAuthService:FF_SCRIPT_AUTH_SERVICE_FACEBOOK];
NSString *authUriFacebook = [ff authUriForScriptAuthService:FF_SCRIPT_AUTH_SERVICE_FACEBOOK];
Java (Android)
FatFractal ff = FatFractal.getInstance(baseUri, sslUri);
// Twitter
ff.setCallbackUriForScriptAuthService(FatFractal.SCRIPT_AUTH_SERVICE_TWITTER,
new URI("x-twitter-ff://authorize"));
URI authUriTwitter = ff.authUriForScriptAuthService(FatFractal.SCRIPT_AUTH_SERVICE_TWITTER);
// Facebook
ff.setCallbackUriForScriptAuthService(FatFractal.SCRIPT_AUTH_SERVICE_FACEBOOK,
new URI("x-facebook-ff://authorize"));
URI authUriFacebook = ff.authUriForScriptAuthService(FatFractal.SCRIPT_AUTH_SERVICE_FACEBOOK);
JS (HTML5)
var ff = new FatFractal();
ff.setBaseUrl(...);
// Twitter
ff.setCallbackUriForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER,
ff.getBaseUrl() + "authorize.html");
ff.authUriForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER, function(authUri) {
// redirect to authorization URI
window.location = authUri;
});
// Facebook
ff.setCallbackUriForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK,
ff.getBaseUrl() + "authorize.html");
ff.authUriForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK, function(authUri) {
// redirect to authorization URI
window.location = authUri;
});

On iOS and Android, the page pointed to by the URI may be presented to the user either via an in-app web view or by using the system browser. In the former case, the web view should be configured to hide when your custom URI scheme (x-twitter-ff or x-facebook-ff above) is detected after a redirection. In the latter case, your app should register with the system as a URI handler for the custom URI scheme. Be sure to pick a custom URI scheme which is unlikely to collide with another app’s!

In a web app, on the other hand you, you can simply redirect the page to the authorization URI.

Access Token

Once the user has authenticated, the full callback URI must be traded in for an access token:

iOS
// Twitter
NSString *callbackUriWithCodeTwitter = ...;
[ff retrieveAccessTokenForScriptAuthService:FF_SCRIPT_AUTH_SERVICE_TWITTER
callbackUriWithVerifier:callbackUriWithCodeTwitter];
// Facebook
NSString *callbackUriWithCodeFacebook = ...;
[ff retrieveAccessTokenForScriptAuthService:FF_SCRIPT_AUTH_SERVICE_FACEBOOK
callbackUriWithVerifier:callbackUriWithCodeFacebook];
Java (Android)
// Twitter
URI callbackUriWithCodeTwitter = ...;
ff.retrieveAccessTokenForScriptAuthService(FatFractal.SCRIPT_AUTH_SERVICE_TWITTER,
callbackUriWithCodeTwitter);
// Facebook
URI callbackUriWithCodeFacebook = ...;
ff.retrieveAccessTokenForScriptAuthService(FatFractal.SCRIPT_AUTH_SERVICE_FACEBOOK,
callbackUriWithCodeFacebook);
JS (HTML)
var callbackUriWithCode = window.location.href;
// Twitter
ff.retrieveAccessTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER,
callbackUriWithCode, function(result) {
// now we can log in
});
// Facebook
ff.retrieveAccessTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK,
callbackUriWithCode, function(result) {
// now we can log in
});

The access token is stored in memory by the SDK, and may be easily accessed if required. Methods are provided to set and access the token to, for example, store and restore a token so that a user isn’t forced to login again:

iOS
// retrieve Twitter token
NSString *tokenTwitter = [ff tokenForScriptAuthService:FF_SCRIPT_AUTH_SERVICE_TWITTER];
NSString *secretTwitter = [ff secretForScriptAuthService:FF_SCRIPT_AUTH_SERVICE_TWITTER];
// retrieve Facebook token
NSString *tokenFacebook = [ff tokenForScriptAuthService:FF_SCRIPT_AUTH_SERVICE_FACEBOOK];
// set Twitter token
[ff setToken:@"twitter_token" andSecret:@"twitter_secret"
forScriptAuthService:FF_SCRIPT_AUTH_SERVICE_TWITTER];
// set Facebook token
[ff setToken:@"facebook_token" forScriptAuthService:FF_SCRIPT_AUTH_SERVICE_FACEBOOK];
// clear Twitter token
[ff clearTokenForScriptAuthService:FF_SCRIPT_AUTH_SERVICE_TWITTER];
// clear Facebook token
[ff clearTokenForScriptAuthService:FF_SCRIPT_AUTH_SERVICE_FACEBOOK];
Java (Android)
// retrieve Twitter token
String tokenTwitter = ff.getTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER);
String secretTwitter = ff.getSecretForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER);
// retrieve Facebook token
String tokenFacebook = ff.getTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK);
// set Twitter token
ff.setTokenAndSecretForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER,
"twitter_token", "twitter_secret");
// set Facebook token
ff.setTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK, "facebook_token");
// clear Twitter token
ff.clearTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER);
// clear Facebook token
ff.clearTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK);
JS (HTML5)
// retrieve Twitter token
var tokenTwitter = ff.getTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER);
var secretTwitter = ff.getSecretForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER);
// retrieve Facebook token
var tokenFacebook = ff.getTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK);
// set Twitter token
ff.setTokenAndSecretForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER,
new Token("twitter_token", "twitter_secret"));
// set Facebook token
ff.setTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK,
new Token("facebook_token"));
// clear Twitter token
ff.clearTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER);
// clear Facebook token
ff.clearTokenForScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK);

Registration

Explicitly registering a new user can be accomplished with a single call in each of the SDKs. User details such as name and email address will be retrieved from the user’s Facebook or Twitter profile.

iOS
// Twitter
FFUser *userTwitter = [ff registerWithScriptAuthService:FF_SCRIPT_AUTH_SERVICE_TWITTER];
// Facebook
FFUser *userFacebook = [ff registerWithScriptAuthService:FF_SCRIPT_AUTH_SERVICE_FACEBOOK];
Java (Android)
// Twitter
FFUser userTwitter = ff.registerWithScriptAuthService(FatFractal.SCRIPT_AUTH_SERVICE_TWITTER);
// Facebook
FFUser userFacebook = ff.registerWithScriptAuthService(FatFractal.SCRIPT_AUTH_SERVICE_FACEBOOK);
JS (HTML5)
// Twitter
ff.registerWithScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER, function(user) {
// we are logged in!
});
// Facebook
ff.registerWithScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK, function(user) {
// we are logged in!
});

Login

Login is similarly simple.

iOS
// Twitter
FFUser *userTwitter = [ff loginWithScriptAuthService:FF_SCRIPT_AUTH_SERVICE_TWITTER];
// Facebook
FFUser *userFacebook = [ff loginWithScriptAuthService:FF_SCRIPT_AUTH_SERVICE_FACEBOOK];
Java (Android)
// Twitter
FFUser userTwitter = ff.loginWithScriptAuthService(FatFractal.SCRIPT_AUTH_SERVICE_TWITTER);
// Facebook
FFUser userFacebook = ff.loginWithScriptAuthService(FatFractal.SCRIPT_AUTH_SERVICE_FACEBOOK);
JS (HTML5)
// Twitter
ff.loginWithScriptAuthService(ff.SCRIPT_AUTH_SERVICE_TWITTER, function(user) {
// we are logged in!
});
// Facebook
ff.loginWithScriptAuthService(ff.SCRIPT_AUTH_SERVICE_FACEBOOK, function(user) {
// we are logged in!
});

Custom Authentication

↑ Facebook and Twitter Authentication • Custom Authentication

The following table summarizes the functions in Auth.js that are called for each ScriptAuth service. When you add a new ScriptAuth service to your application, each of these functions should respond correctly for your service.

Function Description
validAuthServices Returns an array of strings, each of which you declare to be a recognized ScriptAuth service.
validateRegisterRequest Return a boolean indicating whether or not the provided register request is valid.
sanitizeCredential Removes sensitive information, such as passwords, from a credential.
verifyCredential The main ScriptAuth function, which verifies that a provided credential is good. This function is also responsible for creating account records when required.

Default implementations of each of these functions for Twitter and Facebook authentication are provided in Auth.js, demonstrating how each works and what data is available.

OAuth Services

If you are implementing an OAuth authentication service, there are additional functions that will be called by the platform, listed in the table below.

The FatFractal platform uses the Scribe library to provide OAuth functionality, and you may use it as well as demonstrated in Auth.js. Note that to do so, you must specify the full class name of the Scribe class describing the service, see here for a list of the provider classes included.

Function Description
getRequestToken Returns a request token. OAuth 1 only.
getAuthorizationUri Return an authorization URI to be shown to the user.
getVerifierParameterName Return the query parameter name for the code or verifier in the callback URI.
getAccessToken Returns an access token given a verifier (and request token, in the case of OAuth 1 services.)

When using Scribe, the following functions are used for configuration.

Function Description
setScribeApiClassName Provides your API with the fully qualified class name of the Scribe class for an OAuth service.
setScribeApiKey Provides your API with the API key for an OAuth service.
setScribeApiSecret Provides your API with the API secret for an OAuth service.

Contact