nraboy / ng-cordova-oauth

AngularJS oauth library for use with Apache Cordova projects
https://www.thepolyglotdeveloper.com
MIT License
456 stars 199 forks source link

Facebook Authentication #317

Closed Sethles closed 7 years ago

Sethles commented 7 years ago

Hi there,

I'm using $cordovaOauth for the purpose of authenticating with Facebook but have a question regarding the login flow. I've been reading up on Long-Lived Tokens and Refreshing of Long-Lived Tokens but the flow they explain doesn't seem to happen using $cordovaOauth. Facebook documentation states that if and when your toke expires, send the user through the login flow again but because they have previously authenticated Facebook immediately redirects them back to your app with a new token.

This doesn't seem to happen when using $cordovaOauth? The user is forced to reenter his credentials which I find a big annoying for the user. Am I missing something or is this just a limitation with this library?

Thanks.

nraboy commented 7 years ago

There are two types of grants when it comes to oauth, implicit and explicit. Implicit grants don't yield refresh tokens while explicit do.

This is because implicit grants do not use a secret key. It is never a good idea to embed a secret key in your client facing application. This should only be used in server side authentication.

This is why you are forced to sign in after the token expires. If you don't like this, I suggest you find a server side solution.

Best,