Just curious,
In case I want to make application using API for login(i.e Facebook of Google+)
What user's unique key do I stored in my database? Do my apps have same user's unique key as them(Facebook or google+), or they generate a new unique key for my user when sign in my apps? And what type of data is it?
Do I duplicate user's information into my database or keep accessing user's information from Facebook or Google+? Like do I have to create table for user's name, gender, birthday,etc and register user's information once user login to my apps or straight access it from Facebook or Google+ every time my apps needs it?
Is it really safe for user to using login with API? Can someone using API to get user's email and password, or make post in user's Facebook or Google+ that user don't want to post, or hijack user's account?
This might be common case, but I have no experience in using API so I have no idea about that.
What user's unique key do I stored in my database? Do my apps have same user's unique key as them(Facebook or google+), or they generate a new unique key for my user when sign in my apps? And what type of data is it?
When you use Google or Facbook signin you really only need to store the information that they return to you.
LoginProvider ProviderKey ProviderDisplayName UserId
_____________________________________________________________________
Facebook 1969950809700159 Facebook 21248583
Google 117200475532672775346 Google 21248582
User Id is the users id from my user table. Where i store there user information my system needs ProviderKey is the users Id on the login providers system.
Do I duplicate user's information into my database or keep accessing user's information from Facebook or Google+? Like do I have to create table for user's name, gender, birthday,etc and register user's information once user login to my apps or straight access it from Facebook or Google+ every time my apps needs it?
You can duplicate some of it when the user creates or links their account to your system but i wouldn't automatically update it without informing the user you are doing so. Some users dont realize how much information you have access to via linking to social media accounts.
Is it really safe for user to using login with API? Can someone using API to get user's email and password, or make post in user's Facebook or Google+ that user don't want to post, or hijack user's account?
I think you are confusing identity for Authentication. Using Oauth2 you request a user to grant you access to see there data though an api this is authorization. If you are using Google+ or facebook signin you are using an identity server and signing in as the user. You should be using signin if you want them to login to your system using their social media accounts. By singing in you are that user. No I dont think they can be hijacked using signin.
Related
Initially, we have enabled FB login to one of our iOS app. At that time, we were only storing Facebook unique number in our database for user's unique identification purpose. Now that our customer is asking us to enable Google Login, since we didn't store user's email address at the time of their login, it became tricky for us authenticate existing FB users if at all if they want to use Google login. Consider, user is using google email as their FB login. Now we need your help in getting user's email id by using FB unique number which we already have it in our db. Your help in this regard would be highly appreciable. Thanks in advance.
There is no way to get the email of a user on Facebook, unless he specifically authorized your App with the email permission.
A noob question since its my first app to deal with Facebook social sign in. I am developing an app (Flash) which have the ability allow the user to
create normal user account
or
social sign in
The information both store in the same table, but with social sign in off course there is no user password store so i create a account_type which differentiate weather its from the normal user account create or social sign in from Facebook.
Is my appraoch to this correct?
Just wondering what do you need to store in the database in order to authenticate the user, if they come from Facebook social sign in. Because the authentication happen within the Flash application itself rather than going to the server and return result.
So my ulitmate question is what information do i need to store in the database for social sign-in users in order to match with their account and authenticate they are legit user. instead people can just steal email address and access all user's information.
Thanks for any kinda help
The only thing which will identify them uniquely is their Facebook ID. You need to confirm this by requiring them to authenticate, then calling the graph through the ActionScript API to get details of the current user.
Facebook IDs aren't secured in any way (you can look them up with a simple graph call), which is why you need to get the user to authenticate with FB - it's not like ACS, for example, where you set up a relying party and receive a token string that is unique to your application.
After getting the user to authenticate, your code will look something like this:
var auth:FacebookAuthResponse = Facebook.getAuthResponse(); // Gets current authenticated user, or null if no user is authenticated.
var token:String = auth.accessToken; // Access token - only valid for this session, so you can't use this.
var user:String = auth.uid; // Unique identifier of the current authenticated FB user.
I'm trying to implement facebook connect to my website, and i have couple questions.
1: Is it possible to register user in my website using his current facebook email/password.
Let's say user clicks on link Register via facebook and then he have to give me permisions to access his password, email, etc... and after that is done i put that info in my own database and he will be able to login with that account any time he wants without needing to give me permisions any time in the future.
2: If that kind of registration is not possible, what's other solution would be the best for me? Because i need to somehow keep track of that user who logged in with facebook, because he can upload photos, send messages etc.
Anyways, i'm quite new with facebook and similar things, so i'm really lost here, hope some one can help me :)
EDIT Thank you all for wonderful answers it helped me a lot, now all that's left is to read documentation :)
Yes it is, it is possible to get the information of the user. But it is rather complicated, when you have never dealt with it.
First you need to send the user to the following link:
https://m.facebook.com/dialog/oauth?client_id=your-client-id&redirect_uri=xxx&scope=listof-information-you-want
Facebook will then return your client to the uri specified, if the user rejected it will give a reason. If it is not you will get an code in urlencoded format.
This code is needed for the following step, the request of the access token:
https://graph.facebook.com/oauth/access_token?redirect_uri=xxx&client_id=xxx&client_secret=xxx&code=xxxx
This will give back an access token, if the authorization didn't fail.
After that you can ask for the information you want:
https://graph.facebook.com/me?method=GET&metadata=true&format=json&access_token=access_token
This will include a facebook uid, which is unique for all users. Store it and you can discern between a register and login.
This is roughly the process for any oauth2 application.
Facebook will not ask repeatedly for permissions after the user granted them to you. So you can store the access token and reuse it for backend stuff and also use the same procedure you use for register for login.
You can never access the user's password from Facebook even with his/her permission, so the user will always have to authenticate via Facebook and have Facebook pass you the user id of the logged in user once authentication succeeds. You can store all kinds of other data locally, but not enough to authenticate the user yourself.
Once the user is authenticated, you'll have access to the user's Facebook user id via the API, which should be enough to connect all kinds of information to that specific user.
Facebook does not provide access to accounts when passwords are taken from your controls. It provides it own canvas for login information. Therefore you cannot use your first approach to store passwords in your databases. Check this out.
You can however store email addresses once user logins into his account using the facebook sdks. Check this out link for the example of C# SDK sample code.
You can use the Facebook APIs to fetch user email-id, photos, friendslist and other information and then play around accordingly.
You don't get access to the users password - only email if you ask for it.
Best way would be to have a table of users and their Facebook account id's.
If you want to allow users to sign up without Facebook then have a nullable field for their password and facebook id, and also have a field for username - which you could populate from Facebook if they register via that route.
I am working on facebook application in java, and i succeed to retrive the access_token.
Now i want to pull for example the user feed but i dont have the user id https://graph.facebook.com/userid(or me)/likes?access_token=...
Yes, I know user id could be replaced by 'me', but my app is a web app, user just input his user name and password in our frame, not facebook OAuth Dialog which is for user authentication and app authorization, so I think facebook should do not know who is me, so I need user uid. In previous implementation, I could use user email and password to get user id and session key by Facebook Rest API, but how could I get it by Graph API by user name and password?Is there a way to do that?
The Graph API uses OAuth 2.0 for authorisation.
One of the main goals of OAuth is that the user's credentials don't have to be handed out to the 3rd party applications.
So, it's not possible to get the user id and session key using the Graph API with just the users email & password (unless you logged them in manually yourself).
How do they manage to get user to login to Twitter / Facebook through Javascript so smoothly?
I am trying to replicate it for the web app. Basically, the user only needs to add a javascript snippet to their site to kickstart but I am clueless as to how to integrate facebook and twitter connect seamlessly.
Do they store access tokens after successfully authenticating a user?
Short answer is yes, they store access tokens after successfully authenticating a user.
After you try facebook and twitter apis, you'll see that, they both returns ids for every user who succesfully logged-in through your application. You can then simply add those ids pairing with the platform they logged in to your database. You can then use that data to track users easily.
You need to
Create applications on both platforms
Have pages for each provider to check if user performed a succesful login
Check if user is a newcomer and add that user to your database if so.
Set a session or cookie variable of user's local id in your own application or do whatever you are normally doing to track if a user logged-in as that user is your local user.