)Hi
I'm creating my first app and need to implement a user/auth model. I need some help understanding 5.1.1 of guidelines so I minimize the time I waste implementing different solutions. I've googled / read apple forums a bit on this and I'm not sure what is OK, and what isn't.
I originally wanted to just use Facebook for login, as the only thing I will need is a unique userID (e.g. .public_profile premission only) and some authentification. I did not want to roll my own security since 1) no need to invent it again; there are so many other places that I can use for user auth (OAuth, Facebook, Google+ etc.) and 2) most likely my own implementation would be less secure and 3) yet _another_ password?!
However it seems that Apple does not allow you to use social platforms for authentification alone as per the guidelines section 5.1.1 (ii). And from how I read 5.1.1 (ii) OAuth wouldn't be allowed either, since I need to use one or more providers (i.e. social networks) and then we are essentially back to not being allowed to use social networks just for auth.
Just to be clear on the need for a user account: The service I've made allows a sportsclub to create events on a website (here the creator and club-responsible login with Facebook) and invite members to events. The app then allows the sportsclub's members to confirm or decline going to the event from their phone (they could do it via the website as well). Very simple, but it makes no sense without a user account. For instance the sportsclub needs to have 'members' which are users in order to invite 'members' to their events. A person's confirm/decline response is personal and therefore requires some auth, so that people cant answer on other peoples behalf. So regarding the first part of 5.1.1 (ii): "If your app doesn’t include significant account-based features, let people use it without a log-in.", I cannot see how the app would make sense without user login, so on this part it should be okay.
The user login is also needed for the REST backend's security: Requests from the app needs to be authentificatied and authorized by the REST API. There are no social network (Facebook) specific features.
Questions:
1) Am I correct in assuming that it will be OK to require user login?
2) Is it correct that OAuth (eg. https://github.com/OAuthSwift/OAuthSwift) is not allowed
3) I can't seem to find any good libs for doing user signup/login - can you recommend any, or is the standard recommendation to roll your own?
Frameworks such as Stormpath (https://stormpath.com/) looks very nice, but their pricing is too high for my hobby app unfortunately.
Thank you