Rest API Authentication using Token from mobile application

Socialite is a, mostly, OAuth Client (as in it connects with an OAuth Provider (Facebook, Twitter, GitHub, etc) to validate that the person using your app has an account there).

From what you have described, I'm left with the impression that you are wanting to authenticate users that exist in for your application, in which case you will need an OAuth server. I have been using lucadegasperi/oauth2-server-laravel .

If you are actually using Socialite to authenticate users in this way it was intended you will need to store the token given to you by one of the OAuth Providers in your database. However, this code MUST NEVER leave your server with the exception of making a request to the OAuth Provider that gave it to you.

Thanks @Corez64 !! What i want to do is for the first time user on android app logs in using google and token is received by the application. This token will be sent to the backend api , which will help to fetch user details from google. If the user does not exist, user will be created and responded with success.

What client library does this basic task of calling google and getting information based on token ?

Yes you can use Socialite to login a new or old user. I found this article by Matt Stauffer very useful when I was trying out Socialite: https://mattstauffer.co/blog/using-github-authentication-for-login-with-laravel-socialite

However you do not send the code that Socialite gives you in our own authentication system, you must write your own or the security of your user's account is completely at risk. You will need to generate your own authentication code, different to Socialite's, to share with your mobile app and you can authenticate using that token. I would also recommend that you change the code often to prevent it from falling into the wrong hands easily.

Sending the code that Socialite provides is dangerous because that is a key that Google have provided to you to grant your application access to one of their user's profile, if you allow that code to be sent to your mobile app it could be intercepted by a malicious third-party using a man-in-the-middle attach and they would have the same access to the user's profile as your application does which is bad. It is also against Google T&Cs which would mean if they find out your application would be suspended.

I believe we may be doing something similar. I want to use laravel as our iOS/Android app's API backend in addition to the web based area of our site. Socialite works great for the web based authentication & lucadegasperi is perfect as an oAuth server providing & using tokens with the apps BUT I'm really not sure how to combine them or their abilities.

Anyone tried this? Web based is one thing but I'd like our mobile apps to get authentication via the native apps, Asana for example uses my Android's Google account to login..

Hey. I think I am attempting something similar, and am curious if you've found your answer yet?

I have an iOS, Android, and Web application, and a private API used by all three. The Web application, and API were originally wrote in Node.js/Express.js, but am rewriting it in Laravel now. We had the same problem early in development in the original API, probably due to tying the Web and API parts of the project too tightly together. We used an awesome library called Passport.js, which lets you pull in "Strategies" for different providers, so makes it extremely easy to add Google+/Facebook/Twitter, logins to our Web UI. The caveat is that these are only really for a Web application, and since the native apps act as the OAuth2 client, they get the access token we want on the server.

In the end we found small "token-strategies" that as far as I know, just validate the access tokens. So we send the access token from our native apps, to our API, and just validate the Access Token on the server.

I have yet to fully explore Socialite, but on surface value, it seems to be only for web applications acting as OAuth2 clients, yes?

@pathardepavan @tjphippen @mc_teo

Did any of you guys find a solution or strategy for this?

I too would like to use laravel as a backend API for my iOS app with native iOS Twitter and Facebook authentication.

Can't get my head around it currently.

Thanks

This may help you: @barryvdh/oauth-in-javascript-apps-with-angular-and-lumen-using-satellizer-and-laravel-socialite-bb05661c0d5c#.3fz2clvhm" target="_blank">https://medium.com/@barryvdh/oauth-in-javascript-apps-with-angular-and-lumen-using-satellizer-and-laravel-socialite-bb05661c0d5c#.3fz2clvhm

I have the same situation. How can i handle when client (android app) sends both old token to authenticate and new token to replace (save) to database?

I have found a pull request that makes available a method for getting the user information by giving the user_token.

https://github.com/laravel/socialite/pull/126

I hope this can help you.