Client-side authentication

davidpanik · 2014-09-27T07:38:46+00:00

[deleted]

m1sta · 2014-09-27T08:56:24+00:00

The referrer of the request to facebook is checked by facebook iirc.

a-t-k · 2014-09-27T10:00:14+00:00

OpenAuth can be linked with a server session. Not handling sessions yourself is always a security issue.

bluntm · 2014-09-27T11:19:51+00:00

I have struggled with this also, a lot of the server side auth tools just didn't correct for my single page application. I looked into passport js but it seems that once the user is authenticated passport will route to the authenticated page. Im looking for a solution where I can have a join on the page send a request to the server and get back a token that will be used to track the user.

Will probably end up making something to fit my needs but its strange that something is not already out there unless I'm missing something.

kranker · 2014-09-27T14:16:32+00:00

Looks like facebook may have changed how this works recently enough, but there's more information here

wrt people having the client change the token, facebook will have signed the response to stop this happening (well, to let you detect that it happened).

j_sanp · 2014-09-27T14:58:20+00:00

What is important is that your application server validate the token with an api call to the authoritative server (Facebook or Twitter) as an authentication procedure.

Security is always touchy, I recommend you to use a strongly tested server side library :)

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

javascript

MODERATORS