ASP.Net Core Web API Authentication with Facebook - facebook

I have a Web API developed with ASP.Net Core. I also have a client app developed with Next.js and it uses NextAuth.js to handle the authentication.
In the UI, when a user is authenticated, I have access to the access token from Facebook.
My question is how can I use this access token to authenticate the requests sent to the back-end API.
This is the back-end code used to register the Facebook authentication scheme (it is all standard):
builder.Services.AddAuthentication()
.AddFacebook(
facebookOptions =>
{
facebookOptions.AppId = "<my_app_id>";
facebookOptions.AppSecret = "<my_app_secret>";
});
I want to construct a Postman request that can authenticate my user using a specific access token but I do not know where to put this access token and whether this is possible at all.
Just sending the request like this (without any modifications) results in visualizing the Facebook login page.

Your Asp.NetCore project integrates Facebook login. After logging in, the token you get can only access protected resources in the current project, such as: [Authorize].
If you want to access Facebook's resources, you need to write your own code to get the token and then access the resources.
1. How to Get Facebook Access Token in a couple of minutes: 2020 guide
2. How to get current user access token from Facebook SDK in C#? Not the App access token
After you get facebook access_token, then you can access Facebook's resources.

Related

How to implement external login to identity backend from Xamarin

I have a website using ASP.NET Core, which uses MS Identity and external login from Facebook.
I have a Xamarin app that logs to this backend via login/password using Xamarin.Auth. I am wondering which is the best way to allow external login to Facebook from the app?
Should I create a separate Facebook app for Android or should I use the same as the website?
What would be the flow?
I am thinking of something like:
Using the Facebook sdk to log in
Pass the token to the server
Check from server side if the email exists or the FB user id exists
If yes check whether the app is registered using Facebook and if yes login
If no create an account
But until now I haven't stored the user's Facebook Id (only the email, that the user can also modify).
Xamarin.Auth is client library and currently has no server side implementations.
So, your server is Protected Resource and Facebook will be Authorisation Server. After you obtain your tokens (access_token and refresh_token) you would try to access Protected Resource presenting access_token as a credential. Protected Resource will perform token introspection (this could be separate service-server) which will decode the token, lookup username (mail) and check expiration of the token.
This is not specified in draft (RFC) so check how FB does token introspection.
Few links for more info:
How to validate an OAuth 2.0 access token for a resource server?
http://blog.api-security.org/2014/10/oauth-20-token-introspection-profile.html
https://www.quora.com/In-OAuth-2-0-how-do-resource-servers-assert-a-token-issued-by-an-authorization-server
https://connect2id.com/products/server/docs/api/token-introspection
https://leastprivilege.com/2015/12/27/oauth-2-0-token-introspection-middleware-for-asp-net-5/

Generate Page / User access token for Facebook API without redirecting

I am trying to use Facebook Rest API in my application . I wanted to generate authentication token and using that generate page access token which can be used to post on page.
When I was going through the authentication process I found that all authentication flow uses redirection to main Facebook application. I want to have an authentication flow in which I don’t have to redirect to generate authentication toke and page token. Is there any way to do this.

obtain facebook page access token from server

I need to obtain a facebook page access token on the server.
From what I've read to obtain a page access token you must first obtain a user access token with the manage_pages permission then make a separate call to "me/accounts" to get the page access token.
The problem with this is the application I'm developing will automatically be publishing content to a Facebook page from the server. That being said obtaining the user access token from the backend is a problem.
Ideally I would like to programmaticly obtain the user access token then the page access token completely on the backend for the ability to automatically publish content to the page.
Any suggestions on how this can be done from the server side?
Thanks
It is not possible to get page access_token without authentication of user and manage_pages permissions granting.
Authenticating as a Page guide states:
First you need to authenticate a User, and obtain a User Access Token. To do this, please follow the server-side or client-side auth flows for the mobile web and desktop web, or the native iOS or native Android authentication flows.
Refer to Authentication documentation and Authenticating as a Page guide for details.

Facebook access_token for my application is not working while access_token of graph API is working

there is a problem with my access token. I have made my own application, and I took the permission from the facebook user, who is me. And also I have given the same permissions to the facebook graph api. However when I can easily get the results using FQL with graph api access token, but I cannot get the result with my own application access token. What is the problem with my access token.
It is not user access token. Maybe this can be problem however also graph api is not also user access token.
Per the error message you need to use a user access token retrieved via the Authentication flow - you cannot use an app access token for this.
You mentioned in the comments you're successfully using an access token from the Graph API Explorer tool - this is also a user access token which the tool retrieves using the client-side oauth flow. This is not the same as using an app access token for your own app.

c# facebook access token

I receive an access token when a client allows my application on his facebook account. Based on that access token and an url I can print all his friends. I have a question: does this access token appears all the time the user logs in his application? i am asking this because the second time the user logs in in my application where i have a web browser the friend list doesn't pop up because the response from the site does not contain an access token anymore. where am i wrong? how can i check after the user accepts my app that he is online or loged in - if i want to prints his friends.
First thing: sounds like you want to add the scope offline_access because what you are trying to do is really leveraging the FB authentication mechanism.
Also: It is probably easiest to use the FB Connect button and the JavaScript Client API, unless you intend on using the graph or REST API from a back-end server.
If you ARE intending to use back-end API integration read this paragraph:
I have found it helps to ensure that you are using a proper authenticate URL (I use www.facebook.com/dialog/oauth but others have worked in the past..). Just don't use an authorize only URL, or users will be forced to grant permissions repeatedly (never really understood that 'feature'). Next redirect the user to the URL with a request token, and keep your request secret on the server side (or well encrypted if on the client side). After login, you receive the callback with an OAuth Verifier. Access verification URL graph.facebook.com/oauth/access_token with the Verifier and you will receive the OAuth Access Token. Save that token, as well as the user id.
As for checking that the current user is logged in, and/or has authorized your app and/or has friends using your app:
Have a look at FB Connect API:
http://developers.facebook.com/docs/guides/web/#login
call FB.init first, and then when you call FB.getLoginStatus, you will get an OAuth Token if the current user is logged in to FB and has previously authorized your app (either via the Connect Button or OAuth flow):
$wnd.FB.getLoginStatus(function(response) {
if (response.session)
var authToken = encodeURIComponent(response.session.access_token);
});
When executed in conjunction with the authenticate flow mentioned, users that have already authorized your application will get the same OAuth Access Token returned from previous calls, that you can use with the JS Client, Graph, or REST APIs.