My team has a web app where we post periodically on behalf our customers businesses who link their facebook accounts on our website. They authenticate on our website, and give us access to certain permissions after authentication.
This has proved painful for some customers as they seem to have their facebook accounts invalidated constantly. Is there another way for us to have access to posting to a users facebook business account that maybe isn't so brittle, or is there some manner we could protect ourselves from constantly losing access to the accounts because the user has done something as common as changing their password?
Related
I see Mailchimp has a feature to create facebook campaigns through its UI and I can't understand how they just need to have access to one of my pages to create ads for it.
As far as I understand you need to be a business manager administrator to claim a page as agency with the ADVERTISER role (cf. https://developers.facebook.com/docs/marketing-api/businessmanager/assets#pages) but
If the user who makes an AGENCY claim call does not have the proper permissions on the Page, the response will be PENDING. The Admin for that Page may login and grant the access, deny it, or even report the claim as a spam.
So how come Mailchimp doesn't require this validation?
So there is another way which doesn't involve business manager directly: adding a system user as advertiser.
Assigning permissions to a page from the API requires special permissions. Please reach out to your Facebook rep if you require this feature.
My team is still in the process to “reach a facebook rep” (it's been two weeks already…) but once this will be done a simple POST to <PAGE_ID>/roles with
admin_id: system user ID
role: Advertiser
should allow to create ads for pages using the system user access token.
Turns out facebook desn't want you to use the features they advertise, so there's in fact no solution.
Update: It appears that when there's no API or token, software seems to simply ask the user for their account credentials, and probably has to store this information. I guess it can't be a huge security risk, since people are willing to share this information with apps like Mint:
So, my conclusion is that it is OK to ask users for credentials to other services if they can be secured safely and the user desires the service provided.
Many, many apps use others apps such as Facebook in order to get data from it, usually to verify the user is real and to get relevant profile data (e.g. a dating app would want age, gender, etc.).
When using such an app, I do not have to enter in my Facebook credentials. The app simply opens up my Facebook/asks for permission to access it, and voila it's done.
There seems to be a lot of documentation for well known companies like Facebook, Twitter, and PayPal on how to do this.
But how is it done for an arbitrary website that requires a user/profile, e.g. this website: http://ae.com/web/index.jsp
Unsurprisingly, if I google for FaceBook, there's a heap of resources, and even it's own dedicated tag (https://developers.facebook.com/docs/facebook-login/access-tokens).
However, if I start googling for American Eagle, e.g. "https://www.google.com/search?client=safari&rls=en&q=american+eagle+access+token&ie=UTF-8&oe=UTF-8", I get nothing relevant at all.
If I understand your question right, that you want to enable facebook login for your website,
you still need to create a facebook app. then use the access tokens in your website. so when user clicks on login with facebook, the app will be asking for permissions and finally you will get the access token and you can use that in your site to log in.
Our application runs multiple sites for multiple customers. One service we offer is to write and post social media for our customers. We also allow the customers to do posts themselves through the application admin.
In order to facilitate the non-automated posts for customers, one of our users has access to the pages of many customers through her Facebook login.
The problem comes if she uses our application to generate an auth token through the admin area of the customer's site.
The application sends its own appID and secret key to Facebook, and the user receives the Facebook login page.
However, she used to be able to choose which page/customer she wished to log in to. Now, once the login data is submitted, Facebook immediately sends a token back to the "return URL." There's no opportunity to choose which Facebook page the auth is for.
The token appears to be linked to the user's "main" page (which is a page of ours).
Obviously, we need to be able to say "I'm logging in to Facebook page X of the many pages I'm authorized for."
Just to be clear: this is not an issue regarding authorization for our application in general. It's the specific case when the Facebook login is attached to multiple pages.
Can anyone give me some advice, please, even if it's just a link to an appropriate spot in the API docs? I've had no luck searching them.
Thanks,
Tom
Edit: First, to the question about "multiple domains": perhaps I shouldn't have put that in the title, since it's not relevant to Facebook per sé,
We host many clients who obviously have many domains. They administer their site content through a CMS which can, among other things, work with Facebook. A client often has a Facebook page; so for us at least, there is often a one-to-one correspondence between a client's site/domain and her/his Facebook page.
When someone goes through the process in question, s/he is administering the site, but may be attempting to post to a Facebook page. And one of our in-house admins has access to many clients' Facebook pages.
So let me rephrase: the admin logs in to a client's site. She attempts to authorize our application to post to that client's page. Our application sends its id/key data to Facebook, and she is taken to the login page.
The question is, how do we let Facebook know that we are seeking authorization to post to one of the many accounts/pages she can access?
Thanks for the help.
As pointed out by CBroe in the comment, if you want to post as a page, you need to have a page access token of the page that you admin. Once you have granted manage_pages permission to the app, you can call the /me/accounts edge to get the list of all pages that you admin and their access tokens.
You can then use the page access token of the page to post on behalf of the page. Note: You will need publish_pages permission in addition to be able to post on behalf of the page. Permissions are documented here.
Am I allowed to create an app that only invited people can join?
Or do all apps have to be open to everyone?
You can have a white list for people who are allowed to use your app in your database and ignore any request for other people.
EDIT:
As per the question in the comment section, I will give you more details. I have not quite done exactly this, but I can guarantee you this is possible. I have a website, linked to Facebook and people can log in to the site using Facebook. In my database I am storing the Facebook ID and the Facebook user access token. When a user clicks on the login with Facebook, his Facebook user access token is checked against the database. If the Facebook user access token (which works like a temporary password) expires, it is renewed. However, people are identified by their Facebook ID. I could easily have a white list for Facebook IDs and allow access only for people whose Facebook ID can be found in the database. My project strategy is to get as many users as possible, but I could easily modify this to restrict access for not verified people. Your problem with consistent login probably lies in the fact that the Facebook user access token expires in a few hours. However, that problem is solvable:
if the user has modified his Facebook password, or has not connected to the app, then he will be asked by Facebook for permissions
if the user is no longer logged in, then he will have to log in
if the user's Facebook user access token has expired, then you should generate a new Facebook user access token
finally, you can generate long-term Facebook user access tokens, which last for months.
Read the documentation for details, but keep in mind that things might have been changed at Facebook since the documentation was written, therefore you should not believe everything written there, but should rather test the validity of the most important statements.
If you have a web application that will allow the users to opt-in to sharing their activity on Facebook and Twitter I'm wondering what is the right way to architect that social authentication into your application (and what is inline with Facebook and Twitter policies) so that you can tweet and post on your wall.
Do you store the users username and password in your database?
And then call the social APIs with these credentials. From what I have learned so far both these APIs make you do an OAuth redirect thing. Is their a way to do that without the dialog interaction since you now have stored the username and password anyways.
Not sure if this is an issue, but do you have to do two OAuth handshakes one right after the next to post to Facebook and then Twitter for those users that want to share on both.
And would you have to do this each and every time the user shares something?
I just launched TweetDeck and I wasn't required to get redirected through some exchange with Twitter. Confused.
Just need some help and guidance with "how most people do it" for web-based applications.
The less prompting and less redirects the better.
I don't think storing the username and password would be a good way to go since I think most users would object to you keeping thiere usernames and passwords on file. I have not done any work with Twitter, but on Facebook you need to create an App and then ask the user to grant your app rights. These rights require the user to be loged in to Facebook in order to work, unless you request the offline_access permmission. From my experience, the fewer permmissions you request, the more users will be willing to grant you these permmissions. My approach is to always request the minimal permmissions I need to get the App to work. After granting your App permmissions, you need to get an OAuth token each time you want to interact with the user's Facebook account. (These tokens are good for about 60 minutes, as far as I remember) Storing these tokens will not help, since they expire. Hope this points you in the right direction.