My partner and I are having an issue when we use Facebook to log in to Cognito.
When we use a Facebook account that is NOT a developer, the login flow works without issue.
However, when he or I log in, we see the error message below.
Invalid Scopes: openid. This message is only shown to developers. Users of your app will ignore these permissions if present. Please read the documentation for valid permissions at: https://developers.facebook.com/docs/facebook-login/permissions
We have the following scopes set up in Cognito:
OAuth 2.0
Allowed OAuth Flows
Authorization code grant
Implicit grant
Allowed OAuth Scopes
phone
email
openid
aws.cognito.signin.user.admin
profile
NOTE: This only happens for developers specified in the Facebook Developer portal. It does not affect end users.
Any ideas what might be causing this issue?
Did openid get deprecated and replaced by something? If I remove openid from the scope, I no longer can get the IdToken from Cognito.
According to AWS documentation The Facebook scopes and attributes may vary with each API version, so we recommend testing your integration. (found in https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-configuring-federation-with-social-idp.html). So maybe you can check according to the api version of Facebook that you are using. In the case that you want openId (that is not the default scope for Facebook ) then, according to https://developers.facebook.com/docs/permissions/reference/ you should ask specifically for it as per this sentence If you ask for permissions other than the default profile fields, email, or pages_show_list, you must submit your app for app review so Facebook can confirm that the app uses the data in intended ways and safeguards user privacy.
Related
Facebook recently released a step-by-step documentation for using a GrapAPI to manage Instagram messages. To obtain the access token to use it, it's necessary to create an application in the developer center, enable login via Facebook and include the permissions "instagram_basic", "instagram_manage_messages" and "pages_manage_metadata" but to activate these options it's necessary to submit various information for approval as statement of how the integration works and descriptions of the usage flow. I don't have access to this information because I can't develop an integration without it being approved.
It's not possible to use the provided test user as the pages raised by him cannot be linked to Instagram accounts.
Tutorial followed: https://developers.facebook.com/docs/messenger-platform/instagram/get-started
Someone with some experience with the Facebook API could give me a light on how to obtain the token with access required and proceed the tests?
I have done the tutorial as well, I faced the same problem. To enable instagram_basic, instagram_manage_messages and pages_manage_metadata without app review you need to create a test-app. For test apps all permissions are granted without review.
Instructions on how to create a test-app
Another usefull tipp: If you are wondering why you need to implement facebook login to access the instagram messaging api, the logic is the following: You need to implement login to then use your own implementation to logg in your own account and obtain the page access key that will let you do api calls to the instagram messaging api. This process is obviously overkill and instagram is working on a way of getting that access token through the developer dashboard.
For now to obtain that access token you need:
implement facebook login as a simple html website and console log the response. Be sure to add the required permissions to the data-scope attribute of the facebook login button:
<div
class="fb-login-button"
data-scope="public_profile,email,instagram_basic,instagram_manage_messages,pages_manage_metadata,pages_messaging"
></div>
deploy to a website that has https enabled (logging in from
localhost will only work if you use a tunelling service like ngrok).
Open your website that has facebook login implemented and logg in with your facebook account that is also linked to the target instagram account and also is admin of your test-app.
get the access token from the response to call the other API endpoints.
I went through the documentation of smartsheet api third party authentication.
Steps are :
1. Register into developer tool.
2. Create an app.
3. note down client id.
4. From the application code call "authorize" api with client id.
5. smart sheet will redirect to consent page.
Now here I am confused. as to the API we will be called using Application's client id, how it is related to user who is access my web application. Because the app which I created in developer tool has access, api will works. Doesn't matter who is logged into my web application and has access to work sheet or not.
How smartsheet will know which user is trying to access the sheets because in the API we are just passing Developer App client id.
Or How Developer App can access logged in user's sheet.
Am I missing something?
The consent page will urge the user to login the system if the user has not logged in the system yet. Then, the system will ask the user whether he grants permissions to the client application or not. If permissions are granted, the system will issue a token which denotes "The user has granted the permissions to the client application". This is a basic concept of OAuth. Please read "The Simplest Guide to OAuth 2.0".
I recommend reading this section of the documentation: https://smartsheet-platform.github.io/api-docs/#third-party-app-development
Essentially, your application grants user access-scopes on a per-user basis. Your app needs a developer account. Your users need some kind of Smartsheet plan. Does that help?
I have deployed my app in Beta release, but AoG review team denied it and identify these two issues:
During our review we found out that the OAuth URL is not belong to the owner of the app. Please make sure the OAuth URL is owned by the internal party.
Your provided testing instructions either did not work correctly or were not substantial enough. Please ensure that you are providing everything needed for us to test your app, and that all credentials you provide work correctly.
For Issue#1:
For Account Linking, I am using "OAuth and Google Sign In" and "Authorization code" as a Linking Type and it works fine and successfully provide Access Token.
below is the attachment of the snapshot of the "client Information"
For Issue#2:
What credentials they need for testing, because I simply authenticate the user from Google by their Gmail account, it works fine for both Draft and Alpha version.
Please help me to resolve these issues.
Thanks,
If you are using any of the Account Linking types that include "OAuth", then you are expected to provide an OAuth server that is under your control. By definition, Google Accounts are not under your control. The Authorization and Token URLs that you provide should be the server that you control.
If you do not have another OAuth server, then you should be able to just be able to use the "Google Sign In" method, which will not require you to add the Auth or Token URLs or require additional credentials.
Recently I've been doing some research into OAuth and OpenID/OpenId Connect and it's all just left me confused as to what is best to use and what is safe.
Originally I thought you could just use OAuth2.0 to log a user in (using their ID as a way of remembering the user) but then I found out that due to how the spec of OAuth 2 works, hijacking tokens would allow a malicious user to impersonate another person. Which is why it's stated that you shouldn't use OAuth 2 as authorization.
But then I have been reading that providers as such as google and facebook have decided to go away a little from the standard and ensure that such attacks are not possible. So my question, what OAuth providers are safe to use to gather a users ID to be used to log them into my service.
Also, facebook is offering another service called facebook login. From what I can tell it's OAuth but without the impersonation issue (obviously) AND the app creator cannot do other OAuth features as such as posting on behalf of the user without getting their app reviewed by facebook. Why would I use facebook login over OAuth which gives me all those permissions without review?
Thanks a heap everone
As described in the Facebook Auth guide, I'm able to make (most) old REST API calls with OAuth tokens
i.e.
http://api.facebook.com/restserver.php?
method=friends.get&
app_id=...&
v=1.0&
call_id=...&
sig=...
becomes
https://api.facebook.com/restserver.php?
method=friends.get&
token=...
This does NOT work with the method "admin.setAppProperties". I get an "Application does not have permission for this action" error. The OAuth token I have though, has granted every available permission including offline access to my app, however. Any clue whats going on? Facebook docs and forums are characteristically mum.
In case you haven't managed to fix it yet, I've found the problem with their documentation:
the parameter name for the access token is wrong: it is "access_token" and not "token"
https://api.facebook.com/restserver.php?
method=friends.get&
access_token=...