thready
asked on
Google app engine, REST, authentication & sessions
On my mobile app, I'd like to send login and password to the server. Please correct me where I'm wrong, or please tell me how I can improve on this?
We get login/password and authenticate by checking hash of password on the server- we send as response to this some random "session" key (string of random characters?) to the client - later - this is supplied with every request to the server for any other kind of REST request? How do you fit this session key into the REST API without breaking the REST style? i.e., let's say I want to get a list of customers: http://example.com/rest/v1/Customers?session=lksdfkjhsfkjdskfds --> is this OK?
I feel it's necessary to supply user login direct from my own site AND supply the ability to login by existing google account for example. How do you adapt the login to a REST API with different types of login? What is the common ground between a site supplied user/login vs the google user's API so that the 2 may be used together? The example code I've seen for the google users API abstracts away so much that I don't really understand how it works - you get a user, if it's NULL, you're redirected to a google sign-in. If not, you have your user, then I guess there's some key in the user object that you use as your session key?
Many thanks for any help! :o)
Mike
We get login/password and authenticate by checking hash of password on the server- we send as response to this some random "session" key (string of random characters?) to the client - later - this is supplied with every request to the server for any other kind of REST request? How do you fit this session key into the REST API without breaking the REST style? i.e., let's say I want to get a list of customers: http://example.com/rest/v1/Customers?session=lksdfkjhsfkjdskfds --> is this OK?
I feel it's necessary to supply user login direct from my own site AND supply the ability to login by existing google account for example. How do you adapt the login to a REST API with different types of login? What is the common ground between a site supplied user/login vs the google user's API so that the 2 may be used together? The example code I've seen for the google users API abstracts away so much that I don't really understand how it works - you get a user, if it's NULL, you're redirected to a google sign-in. If not, you have your user, then I guess there's some key in the user object that you use as your session key?
Many thanks for any help! :o)
Mike
The main thing I would like to clarify here, as it affects any help that I would give... Is your mobile app web based, ie. HTML/javascript/.... hosted in a mobile web browser served by your server? Or is it truely a native app that just communicates via REST api over HTTP/HTTPS for accessing/updating data?
ASKER
For now, it's a mobile app that does all its communication over Ajax.
I may host it in a browser control running natively in an app if that somehow gives better push notifications or if I need something that's missing from native that becomes a requirement...
I may host it in a browser control running natively in an app if that somehow gives better push notifications or if I need something that's missing from native that becomes a requirement...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Ray, I'm going to disect these good looking articles. Looking forward to your response Mccarl! In the meantime, ve30fa, I'd love to offer the choice to the user (if they don't want to use OpenID - I worry that if I only offer OpenID, some people might think that I'm getting their password for facebook or whatever and I might lose customers because of it)... I'd like to offer a login that looks like the one they use for say, doodle:
Thanks for the explanation.
I feel it's necessary to supply user login direct from my own site AND supply the ability to login by existing google account for example
I miss read your intention in this part.
I feel it's necessary to supply user login direct from my own site AND supply the ability to login by existing google account for example
I miss read your intention in this part.
ASKER
Thank you very much
Use the open-id protocol to allow that form of authentication with any openid provider i.e. google/facebook/microsoft
or
use the google + version of oath version 2.0
or
use your OWN authentication protocol.