android - Uber OAuth Best Practices in Mobile App -


i'd make mobile app makes requests on behalf of user. understand following oauth flow:

  1. open user in web view give app access make requests on behalf
  2. when hit grant access, server side app receive call authorization code
  3. my server side app needs exchange authorization code access token

my confusion starts in step 2. uber makes request endpoint authorization code, have no way of knowing user authorization belongs to. can exchange access token , store in db 30 days, have no way of getting user use make requests.

one thought have user sign in app email address use key appropriate access token server app, have no way of associating access token email address in db table in first place.

i'm wondering best practices here. how mobile app supposed know access token use given user?

(i reached out uber api support directly, asked me open stackoverflow question instead)

obviously kind of broad question , highly dependent on type of app you're building, want user-flow like, etc etc i'll best point in right direction.

first, uber api has /v1/me endpoint return users first name, last name, , email address, among other things. 1 possible flow user opens app, go through whole oauth flow, , once exchange authorization code access token use (from server) make call out /v1/me endpoint , use either users email address or uuid key in database. if used email address, allow users login app using same email address , allow account creation process oauth flow.

i'm not mobile developer, understanding of embedded web views can use cookies other browser. in case, thing use sessions / cookies. assuming have kind of identifier existing users, add cookie web server , when user gets redirected web server authorization code, attached cookie tell user associate access token.

finally, uber developer platform includes state parameter in authorization phase of oauth flow seen here https://developer.uber.com/docs/authentication similar describe in previous paragraph, except instead of using cookies store user identifier in state parameter , it'll sent when user re-directs. can use piece of information tie access token specific user in db.

i hope helps! don't hesitate reach out if you're still confused.

cheers!


Comments

Post a Comment

Popular posts from this blog

javascript - jQuery: Add class depending on URL in the best way -

i have html progress meter: <div class="col-md-3" style="margin-left: -20px;"> <div class="progress-pos active" id="progess-1"> <div class="progress-pos-inner"> login </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-2"> <div class="progress-pos-inner"> scan items </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-3"> <div class="progress-pos-inner"> confirm address </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-4"> <div class="progress-pos-in
Read more

caching - How to check if a url path exists in the service worker cache -

i need check if particular url path exists in service worker cache. example, suppose url is: /myserviceworker/service?a=110&b=70 this url exists in cache, there many of them different values of , b. now, suppose want refresh of these urls, how can that? i want know how access key values service worker cache. if know key, plan follows: var url = new url(key); if(url.pathname === "\/myserviceworker/service") refetch key but not sure how cache key , in format is. mean, string or url? cache api has match() method returns promise resolving in response object if match or undefined if no match exists. second parameter object can specify ignoresearch not take account url parameters. the ignoresearch option supported firefox ( chrome status here ). in other hand, retrieve cache entries, can use keys() method.
Read more

Redirect to a HTTPS version using .htaccess -

i need modify .htaccess file redirect urls https version without "www". http://example.com --> https://example.com http://www.example.com --> https://example.com https://www.example.com --> https://example.com this how .htaccess file looks like: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^(.*)$ redirect.php?id=$1&page=$2 [qsa,l] what modifications need make .htaccess in order forward https without "www"? it depends on doing current code. looks file called redirect trying display php page seo friendly url. think might confusing people. anyway, need , force https without www, need 1 more rule above. also second rule needs two capture groups in rewriterule test string because wanting 2 different values using $1 , $2 references. rewriteengine on #rediect www non www and/or http https --- combinations. rewritecond %{http_host} !^example\.com [nc,or] rewritecond %{https} !^
Read more