My team have developed an App, in which we are using the Facebook Authentication Tokens to retrieve the data from a Facebook and then display it on our App and it is working fine.
The problem which I am facing is that if the Password of Facebook Account is changed then the API Token also become useless, which is an obvious thing.
But is it possible that when a user updates his/her Facebook Account Credentials then the API Token also gets updated? i.e. I don't want to go through the Token Generation Process, every time the password is changed.
No, that is not possible.
When the user changes their password, all their existing tokens get invalidated on purpose.
They will have to go through the login flow again, to create a new token.
Related
I am developing an application using xamarin.Here I am using xamarin auth component for facebook authentication.I am able to login and get users info and able to save them in local DB.Xamarin auth component has provided option for storing account object so that when user relaunch app ,we can use that account object to login.
Here comes my question: If user changes password on facebook account from site then what should be done when app is relaunching,as stored account is local we can't use that info to login again.
Thanks.
Any suggestions are appreciated.
Actually you are supposed to use the access_token for subsequent queries towards Facebook after the first successful authentication. With OAuth, you won't store password in your app. I would expect that when a user changes the password within Facebook, the old access_token might expire. In this case, you'll have to make the user manually re-login. This is the case anyhow when your access_token expires for any reason; keep in mind that all access_tokens expire after some time.
You can easily verify if the access_token is still valid by sending some basic request in the background. If you get an autherror response, just prompt the user to login again when it makes sense in the flow of your app.
I want to know how Pinterest and other sites maintain there session and access facebook APIs even after the user changes his/her facebook password, since as far as i know facebook invalidates the access token issued once the user changes his/her password.
Please help :)
Not sure on the exact implementation Pinterest uses, but if a user changes there password, the oauth token will be invalidated and you MUST have the user re-login. This is a security feature so for example, in the event of a hacked account, the user can change his/her password and all tokens will be invalidated (imagine what would happen if this wasn't the case... Your account gets hacked, they authorise there own scam app to have full access to your account, you reset your password... oh they still have full access to your account as they have a oauth token).
On this page you can see what error is produced in the event of a password change and your app must detect this and handle it
I'm implementing a connect with Facebook/Twitter/... functionality on a website. The idea is that once a user connects his account with the external services our website could post messages on behalf of the user.
With Twitter there is no problem as the OAuth access_token doesn't expire. But with FB it does expire every two months, when the user logouts, changes password or explictly deauthorizes the app.
How should I handle the token expiration? For me it would be ideal if I could refresh the token automatically without bothering the user, but unless I've missed something it seems there isn't any way of doing this. So, right now I've two ideas:
The less akward way: every time the user logins to the website check if the tokens have expired and notify the user that she has too reauthorize the app.
The more akward way: every time the "post to social networks" event triggers in our website, check if the tokens have expired and ask the user to reauthorize.
The first option would be easier to implement and cleaner to the user.
So, how are you handling this situations?
Thanks!
I think that I'll trye the first option:
User logs in
The server checks if the user has already a Facebook token, if so:
Check if it's still a valid token. http://developers.facebook.com/docs/howtos/login/debugging-access-tokens/
If the token expired NOT because the user deauthorized the app BUT because the other cases we redirect the user to the OAuth endpoint.
I'll give it a try and update this answer if there is more to it.
If the user is actually interacting with your website, you should be getting a fresh access_token (read below). If you perform offline tasks related to the user using the Facebook API then you should be storing the access_token and their expiry dates. Then you need to handle expired access tokens and ask the user to interact with your app again and update your records.
You should refer to this document. Also you should be reading the Extending Access Tokens document:
Step 2. Refreshing Long-lived User Access Tokens
At any point, you can generate a new long-lived token by repeating the
original auth flow, obtaining a new short-lived token and then
performing the same exchange as above. In some cases, this newer
long-lived token can be identical to the previous one, but we do not
guarantee this will be true and your app shouldn't depend upon it.
Currently I have a option in my web page such that, on-clicking a button, Facebook login authentication dialog will be poped up as explained in http://developers.facebook.com/docs/authentication/#server-side-flow. I am using JavaScript SDK (FB.api) for this.
So on users successful authentication and app authorization, I will retrieve an ACCESS TOKEN for that particular user from the response. To avoid token expiration, I am using OFFLINE_ACCESS. Finally the token is saved in my local database and a cron job will use this token periodically to read users Facebook datas.
My problem is, as Facebook is going to deprecate the offline_access, is there any other way to have unique ACCESS TOKEN for a user (with out expiration time), such that the users will approve my app once and the cron job will use their token to read data on regular basis.
From this link: http://developers.facebook.com/roadmap/offline-access-removal I found that we can only extend the token expiration time.
Can anyone please suggest a solution for this?
I am working from this reference, and trying to implement the OAuth protocol to allow users to log into my site via Facebook. However, Facebook's documentation is pretty terrible and it unclear in a few key parts.
It says that authorization takes three steps:
User authentication (redirect the user to https://facebook.com/dialog/oauth?client_id=...&redirect_uri=..., and expect the redirect_uri page to be called back with a code). Works great!
App authorization (handled by Facebook, etc). Works great!
App authentication (On the callback page, grab the code you get and call https://graph.facebook.com/oauth/access_token?client_id=...&redirect_uri=...&client_secret=...&code=.... The body of the response will include an access_token we need to do stuff)
I understand that with the access_token, I can call the APIs and such. But, what happens when it expires? I could get a new one, but by this point it will be many HTTP requests later, and I no longer have the code I used to get it in the first place. Do I have to store the code along side the access_token? Or, do I have to tell the user to log in again so I get a new code to get a new access_token?
Or, am I missing a key part here? I don't need an offline_access token, as I will only be polling data in response to user actions .
When the access_token expires, the user will be seen as "logged out" by Facebook. Your app will go through the same process as the first time, but the user may not.
If the user hasn't revoked access to your app, and the user is logged into Facebook at the time, the App Authorization process will take care of itself, with no actions required by the user, and you will receive a new access_token.
If the user hasn't revoked access to your app, but isn't logged into Facebook, they will be presented with a Facebook login at the App Authorization step. They won't be asked to give your app permission again, as Facebook knows that your app id is authorized by that user.
Finally, if the user has revoked access, then they will be presented with the original request for App Authorization, and you'll follow the original flow.
Essentially, you should consider the access_token as volatile, and not bother storing it, but using the access_token you receive as part of the user login process, which is happening behind the scenes all the time, and only involving the user when they log out of Facebook or revoke access to your application.
This is different than Twitter's OAuth with which you can store and re-use it.
From the Facebook documentation linked in your question:
Once the token expires, you will need to re-run the steps above to
generate a new code and access_token, although if the user has already
authorized your app, they will not be prompted to do so again.
When the access_token expires you will need to get a new one by going back through the same steps. The user will have to log in again and you will have to get a new code and in turn, a new access_token.