I'm planning to use Facebook's OAuth2 because they offereing it as free. But I wonder if Facebook have some kind of configuration that can block unknow users to login, so only selected users can login?
Is that possible?
Related
Within our application we would like to provide automation features for Instagram Business users. The Instagram API is migrating to Facebook graph, so we have implemented authentication through that. The problem is that we don't want ALL Facebook users to be able to authenticate, only Instagram Business accounts.
Is there a way we can configure the OAuth setup so that it only lets in the user type that we want?
Otherwise it seems we would be left to do this within application code after the authentication process is complete, which would be a pretty poor user experience (eject the user after they've authenticated).
We're currently using Firebase to perform the OAuth integration, but would be open to implementing manually if it provides a better user experience.
Recently I've been doing some research into OAuth and OpenID/OpenId Connect and it's all just left me confused as to what is best to use and what is safe.
Originally I thought you could just use OAuth2.0 to log a user in (using their ID as a way of remembering the user) but then I found out that due to how the spec of OAuth 2 works, hijacking tokens would allow a malicious user to impersonate another person. Which is why it's stated that you shouldn't use OAuth 2 as authorization.
But then I have been reading that providers as such as google and facebook have decided to go away a little from the standard and ensure that such attacks are not possible. So my question, what OAuth providers are safe to use to gather a users ID to be used to log them into my service.
Also, facebook is offering another service called facebook login. From what I can tell it's OAuth but without the impersonation issue (obviously) AND the app creator cannot do other OAuth features as such as posting on behalf of the user without getting their app reviewed by facebook. Why would I use facebook login over OAuth which gives me all those permissions without review?
Thanks a heap everone
I am building a small app that uses Facebook and Twitter credentials to login/register to use it.
I was wondering if once the user has completed registration if there are any known strategies to merge the accounts together if the user were to decide to do so.
One idea is to confirm matching oauth id's-
Meaning, if the user were to sign in Facebook one go-around, and later login with Twitter-- providing that the oauth id's are matching- Boom!- accounts now merged.
Is this an acceptable practice?
The answer is...drum roll please........
No.
I have a web application that's going to be available for all users on my google domain.
Is there a way of allowing the application to manage user's emails, calendar, etc without requiring the user authorization using the fact that all users are part of the domain?
You will need to have a look into Google Apps 2-Legged OAuth APIs, they will allow you to access/manipulate users data without their authorization.
You can find the list of available 2-Legged OAuth APIs here.
Unfortunately you will see that you cannot do as much with the 2-Legged API as you can with the 3-Legged API. However, 3-Legged OAuth requires the users consent at least once.
Consider the following situation: internet provider has a selfcare site that is integrated with facebook, i.e. user can login toselfcare site using his facebook credentials.
However, when user has not paid for the internet access, he is limited to the provider's only sites (ex. selfcare.provider.com). In this case, facebook integration stops working due to access restrictions.
Question is: is there a way of restricting access to facebook in such a way, so that only login can be enabled?
You want to allow users to authenticate against your app without allowing them to access Facebook itself?
I don't think that will be possible short of applying some custom logic on your end to try to determine if a request to Facebook is for login purposes or to access Facebook itself - there's no API for this.