Integrating Meteor accounts with a native social login provider

I am trying to integrate Meteor accounts with social logins in a native app (iOS, Android). In my use-case, the native app is a Unity-based app written in C#. But I guess the same applies to any native app that wants to integrate native social logins with a Meteor backend.

My intended flow is as follows:

  • In the native app, the user signs in with a login provider, e.g. “Sign in with Apple”
  • The provider sends back the credentials, once the native auth handshake is finished
  • Now I want to set-up a new user in the Meteor backend (or link it to an existing account, using meteor-link-accounts), based on these credentials
  • And then login this user via DDP, using the credentials

I analyzed the typical OAuth flow Meteor uses in web applications and have noticed that

  • The social provider sends some tokens back to the /_oauth/<service> endpoint
  • The server takes this data to finish the OAuth handshake with the provider. This returns a credential token and a credential secret.
  • Token and secret are sent back to the client as part of the response page inside the popup, as an “end of login response”.

In my native case, I could mimic this behavior by posting the tokens I got from the native handshake to /_oauth/<service> in order to get the user created, but I guess this is not a good idea as the handlers would try to finish an OAuth handshake that hasn’t actually been initiated. Also, for this I would have to parse the HTML returned, to get the credentials, which is kinda ugly.

The other option I can see is to call Accounts.updateOrCreateUserFromExternalService directly, e.g. by calling a Meteor method via DDP and passing all credential info over to the server this way. Is this a “safe” and “recommended” way to create the user? Also, I don’t get a refresh_token or a token expiry date from the native handshake, so I can’t pass it over to updateOrCreateUserFromExternalService. Does this cause problems?

If there are any examples out there where a native social login has been linked to Meteor accounts, I’d be happy to see them.

Shameless bump. Has never ever anybody implemented native social logins with Meteor? Can’t believe this is true :slight_smile: Would love to see any implementation samples.

(I now got a working version based on updateOrCreateUserFromExternalService now, but I guess I punched a significant security hole in our app using this approach. The problem is I could not find a practical way to piggyback on the official Oauth process.)