I hope not to be duplicating any question, and also not to be asking something too basic.
I´m building a web app in ReactJS, just to get familiar with the framework. I planned to grant access to users using a Facebook login, which I already have working with react-facebook-login. I also have a Spring Boot Rest API, to serve the front-end. But I want to allow access to part of my API just to authenticated users, using the Facebook access token. So in my back-end, I had to do an org.springframework.boot downgrade from 2.0.4.RELEASE to 1.5.10.RELEASE so I can use the Facebook Graph API. Do you guys think this is ok? or should I use a different approach?
And to be honest I´m a little confused on how to achieve a correct validation of the user's request on the restricted areas of my REST API using the access token sent from the front-end, Do you guys have any suggestions on this matter?
Thank you all for your help.
Related
I'm a bit confused about Identity Providers in a project I'm doing with Xamarin Forms.
I configured Facebook as an IP with Azure Mobile Apps following this page
https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-facebook-authentication
It works, but my doubt is, how can I use the MobileServiceUser result of the authentication process to, for example, post to Facebook or get personal information from Facebook. Is this possible?
Thanks!
This is how I think about it.
Identity providers are used to provide a third party guarantee of WHO a user is.
The Mobile SDK lets you do Authorization. So you can decide WHAT the user can do on YOUR service after you know WHO they are.
Any thing you are doing via facebook would still need to be done through the Facebook API/SDK using the token their Authentication process returned to you.
Finally I found the solution to my problem.
What I was trying to do is get information from Facebook after I have authenticated myself.
All I had to do was invoke
await client.InvokeApiAsync("/.auth/me");
After authentication and thats all, the response of that request has the token to access the Facebook API. These tokens are saved in Azure.
For more information:
https://cgillum.tech/2016/03/07/app-service-token-store/
Thanks!
I am building a SPA (Single-page application) that is going to consume and REST API. My application will use the facebook login.
Just to clarify my ideas:
I will use Facebook SDK (javascript) to authenticate my new user. Facebook will give me an access token. This will run on client side.
Now, i will make a request to my REST API. Do i need to pass the access token to the REST API? DO i need to verify always to see if the user is logged?
I know it is a newbie question..
As long as you are using the JavaScript SDK (and FB.login), you don´t need to worry about the Access Token - at least not in most cases.
You can verify if a user is authorized already by using FB.getLoginStatus on page load.
I know this question has already been asked by someone else, but I didn't found the answers to my exact question.
I'm building a backend that provides its API written using Django REST Framework and integrates Facebook using Django Social Auth.
The frontend consumes the API using AngularJS.
I used a simple Token-based Authentication and everything went well, when somebody authenticated with Facebook I could retrieve the simple token (which never expired) from the DB and return it to the frontend, which will use it for subsequent calls to the API.
My problem now is that I want to publish my APIs and use oAuth2.
In order to do this I am using Django OAuth Toolkit.
If a user uses the native login there is no problem, because I use resource owner password based grant type (giving only client_id because the frontend is a JS app).
Now, if a user authenticates using Facebook there is a problem! I have no password to use!
This fact made me reconsider everything about authentication in my backend.
I thought this:
Is it sensed to make my "official" frontend app consume the APIs using oAuth2?
Isn't it better to use Token-based authentication (or Session-based, if you prefer) only for my frontend app and let third party apps consume APIs using oAuth2?
And, if I do like this, how can I tell my "official" app from other apps? Wouldn't it become a leak in security (for some reason, I don't know...)
For this task I have already created my own facebook application to get the API key and secret key. Can anyone explain the next steps that should be done to
1) Read from facebook API
2) Write my own database
by using web services
Thanks in advance!
A high level answer:
I'm assuming you want to use the authorization code OAuth flow (this means you want Facebook users to give you access to their profiles so you can grab data from there). If so, you need to bring up a web server and an application that will run your users through the Facebook OAuth flow. In case you just want to access Facebook with your own credentials you don't have to have a web server, simply use the client credentials OAuth flow.
So, Once you have a valid access token, you simply make calls to Facebook API using this token. using Facebook Graph API is simply a matter of calling URLs and getting the data as JSON.
You can test-drive the API here.
BTW, according to Facebook's platform policy, you're only allowed to store Facebook data for caching purposes.
Let me know if this helps.
I want to access facebook REST API's using PHP OAUTH functions instead using their php_sdk. Is there anyone to help me out in this?
You can save the user details in a table as mentioned in http://net.tutsplus.com/tutorials/php/how-to-authenticate-your-users-with-facebook-connect/ and manage sessions from that point effectively to achieve your goal