Loopback passport mobile login

Question

I'm developing an API with loopback and passport. I've seen this example, which is quite good:

https://github.com/strongloop/loopback-example-passport

In the documentation, they say loopback follows this step to authenticate users via third party providers:

1. A visitor requests to log in using Facebook by clicking on a link or button backed by LoopBack to initiate oAuth 2.0 authorization.
2. LoopBack redirects the browser to Facebook's authorization endpoint so the user can log into Facebook and grant permissions to LoopBack
3. Facebook redirects the browser to a callback URL hosted by LoopBack with the oAuth 2.0 authorization code
4. LoopBack makes a request to the Facebook token endpoint to get an access token using the authorization code
5. LoopBack uses the access token to retrieve the user's Facebook profile
6. LoopBack searches the UserIdentity model by (provider, externalId) to see there is an existing LoopBack user for the given Facebook id If yes, set the LoopBack user to the current context If not, create a LoopBack user from the profile and create a corresponding record in UserIdentity to track the 3rd party login. Set the newly created user to the current context.

So my question is, suppose some user get an access token using a mobile app, the how can I authenticate that user's requests using Loopback Passport?

Thanks

Answer 1

I had opened a similar topic about same issue, How integrate loopback third-party login for android. Then found a solution for this.

First of all, its important to say that, a loopback user can able to have more access tokens in same time. When you logged in from your web site or mobile app, loopback creates an access token each time.

If you are asking about to get access token, there is already a way to do this, so you can get access tokens using login method like that

User.login({username: 'foo', password: 'bar'}, function(err, accessToken) {
   console.log(accessToken);
});

The only thing you have to do is calling this hosted method from your android app. You can use loopback android sdk (proper way) or posting username and password to server and handle, simply like that

app.post('/android/custom_login', function(req, res){
    var username = req.body.username;
    var password = req.body.password;

    User.login({username: username , password: password }, function(err, accessToken) {
      console.log(accessToken);
      return res.send(accessToken);
    });
});

If you are asking about, to make logged in users with social network account and then get access token, i can simulate a few things from google scenario. Also you can check extra loopback github test

app.post('/android/custom_login', function(req, res){
   var provider = 'google';
   var authSchema = 'oAuth 2.0';

   // oneTimeCode from android
   var oneTimeCode = req.body.oneTimeCode;

   // Make a request to google api
   // to exchange refreshToken and accessToken with using google apis
   var accessToken = 'FROM GOOGLE API';
   var refreshToken = 'FROM GOOGLE API';

   // external id is your google or facebook user id
   var externalId = 'FROM GOOGLE API';
   var email = 'FROM GOOGLE API';

   var credentials = {};
   credentials.externalId = externalId;
   credentials.refreshToken = refreshToken;

   var profile = {};
   profile.id = externalId;
   profile.emails = [{type:'account', value: email}];

   UserIdentityModel.login(
     provider, authSchema, profile, credentials , 
     {autoLogin:true}, function(err, loopbackUser, identity, token){
            if(err) throw err;
            // token is access token for thig login
            return res.send(token);
   });
});

In google scenario, i am obtaining a one-time code when the user clicked sign-in button. Then posted the one-time code to my server for exchanging with access token and refresh token. Also here, i am getting user profile info from google.

Profile and provider , are really important because UserIdentityModel.login() method creates an anonymous user with using provider and profile.id (if these infos not exist)

After all you will have an access token for android app, as you see

Answer 2

1. Use Loopback-Passport example

2. From server.js, replace code as following

   app.get('/auth/account', ensureLoggedIn('/login'), function (req, res, next) {
       res.json(req.accessToken);
   
       });
   

3. Using the accessToken from above line, you can use the LoopBack APIs.You can extend the code to create your own custom APIs.