I want to provide the ability for my users to log-in to my app using OAuth providers like Google, Facebook, etc. For those purposes, I've built a unified OAuth login system that involves my server, based on instructions like this: Manually Build a Login Flow. From my users' accounts, I need only default permissions plus e-mail, with those permissions I've publish my Facebook app, and review was not required.
Today I've received a message from Facebook where I was asked to specify my Facebook app platforms, and this is where the problems begin. All provided but Facebook platform templates are not quite suitable for me:
currently, I'm using my system on the mobile app, but it is pointless to specify my package ID or provide some hashes because the app is not using Facebook SDK and those data will never be, received by Facebook
also, it is not correct to give the Facebook just my website URL it doesn't use Facebook login buttons or so, for log-in process communicates only mobile app and back-end
So, here my question.
Which platform I need to specify in my Facebook App if I've used instruction Manually Build a Login Flow to build my log-in flow.
Any ideas? May be someone have experience with this?
P.S. my app built on Flutter.
Related
I am building a simple Facebook app to connect the backend of a project to Facebook Messenger.
I am trying to send my app for review but it requires me to send a platform for the reviewer to test my app on.
the only place to interact with the app is the test Facebook page i created but i cannot add Facebook urls to the platform. What am I doing wrong here or what am I supposed to do?
I am building a simple Facebook app to connect the backend of a project to Facebook Messenger.
If you don’t have any end-user facing frontend, this would be considered a “server-to-server” app.
The documentation has specific instructions on how to submit those: https://developers.facebook.com/docs/apps/server-to-server-apps
Platform
Platform refers to the platform that your app users use to interact with your app. Since your app does not have an interface and your users don't interact with it directly, set this to Website and provide the URL to your company's website.
(Make sure to properly describe the purpose of your app and how it works, so that the reviewer does not try to go to that URL and look for a login button there.)
I currently run a web application that has its own native registration and login system.
Now I would like to add Facebook login to my site, and integrate it with my native registration system. Like check the email returned from Facebook, and add the user to the database with a flag indicating he is a Facebook user, and then just authenticate the user.
While I have some idea of how to implement the system, I would like inputs on whether I should use the Facebook SDK for JavaScript, or the server-side SDK. I see that Facebook recommends the JavaScript SDK for WebApps. However in case of integrating with a native system, will it be the ideal choice? I believe the JavaScript SDK would work good when the login is purely Facebook, and is meant for simple authentication-required views.
Can someone who has worked with Facebook login help with this decision?
You are right integrating Facebook Javascript SDK will not be a good choice for Native log-in system as in any case you will have to pass some input(userid) to your server side program like facebook ID/email id to synchronize the user with your native system, from javascript. Which will be a 3 way channel > Facebook - JS(user browser) - Your Server, this makes it less secure as someone with user id can ping your server and it will log the user in.
I was also working on same scenario where I need to enable users to login with Facebook as an option. However a native login system was deeply integrated with the application. So I used PHP SDK inspite of JS SDK.
I have a website which allows login via facebook functionality and displays photos from facebook.
While accessing from a mobile browser I would like the website to automatically login(when the click on FB login button, without entering username and password) if the user is already logged in via the native FB application (iOS or andriod). It seems to be that I can do that by building a native iOS or android application and use facebook single sign on feature. Is it possible to do that without having the user install anything on their mobile device?
That is not possible.
Auto-Login relies on auth tokens that will be granted to a website or mobile app after a user approves an app. For security reasons, those tokens are tight to the cause they were issued for. Particularly, web tokens and mobile tokens are not interchangeable.
So you could build a native mobile app to get a "native token", but even if you would manage to (cookie-)inject it into a browser view, your website's backend couldn't use it.
More generally, you're raising an issue even facebook can't solve: Say you are using a facebook mobile app and logged in there. If you open facebook's web version on that very same phone, you'll have to log in there again. The root cause is the same as with above. Specifically, any native app is uncapable of setting arbitrary auth cookies into the OS browser. I personally believe this restriction will not fall, because it would have a large security impact - just imagine how any app could set (and possibly get) cookies for any website.
If they've never logged in facebook from their Mobile, how will your website ever know them ?
Is it possible to do that without having the user install anything on their mobile device?
Like PC's, users in a mobile device need to login in their phone in facebook's website before being eligible to login "automatically" to your website. When I say automatically, I mean they still have to go with the first time process of "Do you authorize this app/website to do X things on your account". That message is inevitable when using facebook's api on the web.
Hope this answers your question.
Is it possible to do that without having the user install anything on
their mobile device?
No this would not be possible. You need to have a native or hybrid app (phonegapped etc) to make it work. Mobile web apps run in a browser sandbox and without native code interface - you cannot get to the native SSO of FB on your mobile device
Did you have a look at this facebook page ? I'm not sure what you ask is possible, as basav said, but maybe you'll have some clues there.
I have an app that can be accessed on mobile phones, both iOS and Android. The app has a social component to it, so people are sending data to and from my server.
I also have an interface for this app that will be accessible through Facebook.
When logging into the app via mobile device, using the native app for that device, one can just log in with standard username and password.
However, obviously if a user accesses the app in Facebook, they will expect to already be logged in since they are already logged into Facebook.
So I need to make it so that my app can take a log in from Facebook, pretty much automatically (?) for users who are coming at it from within Facebook.
Further, it's possible (dare I say "likely"?) a user might access the interface from both Facebook and one of the mobile versions of the app. In which case I need to be able to ensure that the username/password authentication they use on the device points to the same account associated with their Facebook login.
So... all that said... what kind of Facebook authentication should I be studying and implementing.? I'm looking at their documentation right now, and like all documentation, it's not easy to grasp. There is server-side (authentication code flow?) and client-side (implicit flow?), and authentication tokens, and I'm already a bit lost.
Also, I assume Facebook's approach is to want to take over my login in process completely, not live side by side with my mobile-device-only login, but I'd like to make sure users have the option of not using Facebook authentication if they don't want.
Can someone point me in the right direction for how to do this? Basically let me know which part of the documentation I should be focusing on.
And are there any gotchas I should watch out for?
Your server will receive a signed request when your app on facebook.com is loaded; from this you can find the FB uid of the user.
If you obtain the FB uid for users of your mobile device clients you'll be able to match your app's accounts between mobile device & facebook.com clients.
The bottom of the main authentication docs page gives links to further documentation for different client types. The main mobile authentication page has side-bar links to tutorials & SDKs for iOS & Android. Alternatively you could use the server-side OAuth flow as your devices have browsers that support this.
Once you've completed authentication on the mobile device it's simple to obtain the uid.
You can also use the Facebook authentication flow instead of your own username/password authentication.
I'm building a (Rails-based) web service with a mobile app (iPhone) as frontend. In order to allow people to login using Facebook, I've built something using devise and omniauth that allows the user to log in using Facebook and store the credentials in the database. This works perfectly, all from the web app.
However, now the second part: I want to let users log in via the mobile app. Of course, there are the FB Connect libraries, but they give the mobile app access to the Graph API. Instead, I would like a mobile log-in screen that authorizes Rails to access the data. This is because later on, users might use both the iPhone app and web app.
What would be the recommended way of doing this? Are there any best practices?
I solved it by doing the authorization using FB Connect and the FB app. After authorizing, the FB app opens my app again, and I can read out the access token. Which I can then send to the server and use there.