I've got an app that currently lives only in Facebook (well, as far as any user interaction goes) which I'm trying to build a Facebook Connect authenticated mobile app for.
As far as I can tell, the Titanium Facebook implementation is good for authenticating directly to Facebook from the device, but not as authentication for talking separately to by web service.
I need to somehow carry an authenticated session across to a separate XHR request which I can then use to share exchange a separate set of credentials which I'll use for future non-Facebook requests. On the web, this would be achieved thorough a cookie that gets set by the Facebook login, used to generate the facebook session on future requests.
I've not had much interaction with Connect mobile (and I'm by no means an expert when it comes to Connect for sites) so for all I know this might not be possible, but it doesn't seem like an unusual use case.
The best I've come up with so far is taking the session key and passing that back up to the server, but that has a whole bunch of reasons not to do that.
SSO with Facebook Connect has been done on a client project, so I do know it to be possible with Titanium Mobile. The information that will be potentially useful for this purpose is in the Ti.Facebook.session property:
Ti.Facebook.session.session_key Ti.Facebook.session.expires Ti.Facebook.session.user
Using this information, your client application can tell that the user is logged in, and for how long. You could leverage this data on the server side to authenticate requests.
I would advise against using Facebook as your SSO solution - allowing Facebook to own your user accounts puts you at the mercy of their servers and systems to drive your entire back end. My recommendation would be to associate Facebook accounts with user accounts that you control, so you can still leverage social graph and sharing APIs without making your site totally dependent on Facebook.
I do not believe you can store a cookie but you can store the info in a sqlite database. So when the user login to FB or another site and the response is not an error message, then simply store the username and password in the database. Then when the user needs to access the site again just have the app pull out the username and password and resubmit it with the query.
Hi Stan, thanks for responding.
I've tried something along those lines using the session key, which is available in Ti.Facebook.session.
If I pass that to my app, I'm able to recreate the session and take things from there, though I'm not too happy with that as I've not got any way to verify that request has come from who I expect it to be.
I have however just revisited what else is in Ti.Facebook.session and there's the session secret. I'm not familiar with that but I suspect that's where my answer lies so I'll go RTFM for a bit and report back.