Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Google app engine, REST, authentication & sessions

Posted on 2013-06-16
7
Medium Priority
?
665 Views
Last Modified: 2013-11-19
On my mobile app, I'd like to send login and password to the server. Please correct me where I'm wrong, or please tell me how I can improve on this?

We get login/password and authenticate by checking hash of password on the server- we send as response to this some random "session" key (string of random characters?) to the client - later - this is supplied with every request to the server for any other kind of REST request? How do you fit this session key into the REST API without breaking the REST style? i.e., let's say I want to get a list of customers: http://example.com/rest/v1/Customers?session=lksdfkjhsfkjdskfds --> is this OK?

I feel it's necessary to supply user login direct from my own site AND supply the ability to login by existing google account for example. How do you adapt the login to a REST API with different types of login? What is the common ground between a site supplied user/login vs the google user's API so that the 2 may be used together? The example code I've seen for the google users API abstracts away so much that I don't really understand how it works - you get a user, if it's NULL, you're redirected to a google sign-in. If not, you have your user, then I guess there's some key in the user object that you use as your session key?

Many thanks for any help! :o)

Mike
0
Comment
Question by:thready
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39252215
you have basically 3 choices:
Use the open-id protocol to allow that form of authentication with any openid provider i.e. google/facebook/microsoft
or
use the google + version of oath version 2.0
or
use your OWN authentication protocol.
0
 
LVL 36

Expert Comment

by:mccarl
ID: 39252274
The main thing I would like to clarify here, as it affects any help that I would give... Is your mobile app web based, ie. HTML/javascript/.... hosted in a mobile web browser served by your server? Or is it truely a native app that just communicates via REST api over HTTP/HTTPS for accessing/updating data?
0
 
LVL 1

Author Comment

by:thready
ID: 39252789
For now, it's a mobile app that does all its communication over Ajax.

I may host it in a browser control running natively in an app if that somehow gives better push notifications or if I need something that's missing from native that becomes a requirement...
0
RHCE - Red Hat OpenStack Prep Course

This course will provide in-depth training so that students who currently hold the EX200 & EX210 certifications can sit for the EX310 exam. Students will learn how to deploy & manage a full Red Hat environment with Ceph block storage, & integrate Ceph into other OpenStack service

 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 39253053
You may find this question easier to frame if you have some background understanding of the protocols and design patterns that are usually used with something like this.  These two articles may be helpful.

Protocols:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

PHP Client Authentication:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

In the latter article, the HTTP cookie is used to indicate an authenticated client.  This can be either the "session" cookie or the "remember me" cookie.  If you choose a cookie-based authentication, you will not need any elaborate code to pass the authentication keys back and forth to the REST API - it's already baked into the mobile browsers. This will be true whether you choose PHP or some other server-side language.
0
 
LVL 1

Author Comment

by:thready
ID: 39253262
Thanks Ray, I'm going to disect these good looking articles.  Looking forward to your response Mccarl!  In the meantime, ve30fa, I'd love to offer the choice to the user (if they don't want to use OpenID - I worry that if I only offer OpenID, some people might think that I'm getting their password for facebook or whatever and I might lose customers because of it)... I'd like to offer a login that looks like the one they use for say, doodle:  

Create login dialog
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39254700
Thanks for the explanation.

I feel it's necessary to supply user login direct from my own site AND supply the ability to login by existing google account for example

I miss read your intention in this part.
0
 
LVL 1

Author Closing Comment

by:thready
ID: 39266813
Thank you very much
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
The viewer will learn how to dynamically set the form action using jQuery.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question