Mobile to Server Authentication

This article builds upon the prior four articles, and demonstrates an end-to-end flow of how to share authentication credentials between Facebook, a mobile app, and a server.

To review, I've demonstrated the following:

  • Facebook authentication within a mobile app
  • Server-based code for sending and receiving data
  • Mobile-based code for communicating with a server
  • Secure communication between a mobile device and a server

So far, the connections to the server have used fake values for the user ID and the token. (The server has ignored these variables too.) I'm now going to implement code that closely examines what's been sent and received. Naturally, this raises the question: How do I know if a request is real or fake? After all, I could simply key in a URL which asserts that my user ID is 'tcrowley'. How can I verify that a request is really coming from user 'tcrowley'?

The process by which you determine a user is who they claim to be is authentication. In the following sections, I'll demonstrate how to verify the authenticity of a user when a request is made from a mobile app to the server.