Social networking login using iOS

I’m writing an iPhone app which works against my own server.

Basically, it’s a forum where users can post. I don’t want users to sign-in for an account on my server but I rather prefer them to login using any existing account they have: Facebook, Linkedin, Foursquare, etc.
So from the app itself, I want them to be able to login using their existing account which will then allow them to post on the forum.

My question is that: when a user is posting a message, how can I verify whether or not he is logged in with any service? I need to validate it both on the client and server side. I plan on writing the server side using PHP.

Thanks

Answer

See this question for a similar discussion (just limited to Facebook sign on). Here’s a high-level overview of what should happen (taken from that discussion I linked to):

1. User opens the app on the phone. Chooses a service with which to authenticate.
2. Authenticates via one the available services (Facebook, Twitter, foursquare, etc.) and gets some special access token.
3. Your app takes the token and sends it to your server.
4. Your server receives the token and validates it. It checks it against the service’s API and (at least for Facebook and Twitter) get the corresponding user ID.
5. Assuming a valid ID, your server checks if user ID has already been used by some user. If so, it logs them in. If the user ID hasn’t been created, your server creates its own user record associated with that user ID and logs the user in. In either case, the user ends up logged in and your server issues a session key to your app.
6. The session key is used for all further communication between your app and your server until the user logs out.

On the phone, you’re going to want some OAuth library to allow users to authenticate with another service. You’ll probably want to use the Facebook iOS SDK to allow them to use Facebook and use one of the suggested OAuth libraries here for your other authentication services. I have only used the Facebook SDK, so I can’t speak as to the general OAuth libraries.

Once logged in, the phone should not store the access token, only the session key.

Assuming that users can use more than one service to access their account, you will also want some way of connecting two services to the same user (probably by email address).

It’s up to you to decide how your app and your server communicate. I’d go for a JSON+REST API for communications with the server.