azure app authentication/authorization between apps - facebook

I have an azure mobile all that uses authentication/authorization with facebook, everything is setup and working on my mobile app, I’m able to authenticate with facebook and get an access token.
I also have a web app (ODATA) hosted in azure and also uses authentication/authorization with facebook and its also working fine if I try to access the ODATA service it redirects me to facebook to login.
According to this article (https://azure.microsoft.com/en-us/blog/announcing-app-service-authentication-authorization/) I should be able to silently or programmatically send the access token from the mobile app to the web app by sending a json with acces_token key.
The may question is how I do this, is that access token in the header or where should I write it I can find any information from it. I would really appreciate a code example or an article that can guide me to accomplish my task

The may question is how I do this, is that access token in the header or where should I write it I can find any information from it. I would really appreciate a code example or an article that can guide me to accomplish my task.
Based on my understanding, you are using Client-managed authentication for independently contacting the facebook then retrieve the access_token from facebook, then you could leverage the access_token to login with your azure mobile app backend.
Also, you have a Azure Web App uses authentication/authorization with facebook and use the same facebook App ID. Then you want to leverage the access_token in your mobile client to access your another Azure Web App. At this point, you could login with your azure web app and retrieve the authenticationToken as follows:
POST https://{your-app-name}.azurewebsites.net/.auth/login/facebook
Body {"access_token":"******"}
Then, you could leverage the authenticationToken and set it as the x-zumo-auth header when accessing your azure web app as follows:
Get https://{your-app-name}.azurewebsites.net/api/values
Header x-zumo-auth:{authenticationToken}
Additionally, you could create your custom Web API endpoints within your azure mobile app, details you could follow adrian hall's book about Custom HTTP Endpoints.

Related

Identity Providers with Xamarin Forms and Azure

I'm a bit confused about Identity Providers in a project I'm doing with Xamarin Forms.
I configured Facebook as an IP with Azure Mobile Apps following this page
https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-facebook-authentication
It works, but my doubt is, how can I use the MobileServiceUser result of the authentication process to, for example, post to Facebook or get personal information from Facebook. Is this possible?
Thanks!
This is how I think about it.
Identity providers are used to provide a third party guarantee of WHO a user is.
The Mobile SDK lets you do Authorization. So you can decide WHAT the user can do on YOUR service after you know WHO they are.
Any thing you are doing via facebook would still need to be done through the Facebook API/SDK using the token their Authentication process returned to you.
Finally I found the solution to my problem.
What I was trying to do is get information from Facebook after I have authenticated myself.
All I had to do was invoke
await client.InvokeApiAsync("/.auth/me");
After authentication and thats all, the response of that request has the token to access the Facebook API. These tokens are saved in Azure.
For more information:
https://cgillum.tech/2016/03/07/app-service-token-store/
Thanks!

how can get data from facebook api and write those data in my own database using web services?

For this task I have already created my own facebook application to get the API key and secret key. Can anyone explain the next steps that should be done to
1) Read from facebook API
2) Write my own database
by using web services
Thanks in advance!
A high level answer:
I'm assuming you want to use the authorization code OAuth flow (this means you want Facebook users to give you access to their profiles so you can grab data from there). If so, you need to bring up a web server and an application that will run your users through the Facebook OAuth flow. In case you just want to access Facebook with your own credentials you don't have to have a web server, simply use the client credentials OAuth flow.
So, Once you have a valid access token, you simply make calls to Facebook API using this token. using Facebook Graph API is simply a matter of calling URLs and getting the data as JSON.
You can test-drive the API here.
BTW, according to Facebook's platform policy, you're only allowed to store Facebook data for caching purposes.
Let me know if this helps.

REST Api Authentication per users in App

I am creating a REST API server. For each app I have provided API key and secret. Example apps are Web app, mobile app any other app who want to use my api service. Now my API service will also need user authentication. How do I implement that? I have already done app authentication using hmac signature generation. Now I need help on implementing user authentication on those apps.
I can recommend you use OAuth or OAuth2 concept because it's standardized and widely adopted. You will be also able allow users to login with Facebook, Google account, etc.

Is it possible to send a request to the Facebook Graph API from client side without exposing our access token to the public?

My question is related to, but not exactly, this question.
I am currently working on a business directory Web site (similar to Yelp), in which businesses have their own pages. Let's call this app DIRECTORY_APP.
Businesses might want to have their latest Facebook status update shown on their pages hosted on our directory. Let's pretend we have a business named BIZ_1. The assumption is that those pages are public pages.
Apparently the Facebook Graph API can be used for this purpose. So I can send a request to Facebook to retrieve the latest status updates for BIZ_1:
https://graph.facebook.com/BIZ_1_PROFILE_ID/posts?
access_token=DIRECTORY_APP_ACCESS_TOKEN
&callback=callbackName
However, if I use this from the client side, our Web site's access token will be exposed to the public, so this is not a reasonable solution.
Now in the aforementioned question, Anatoly mentions that we can retrieve the access token by sending this request first:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET
&grant_type=client_credentials
However if someone inspects the Network log, this will also expose our Web site's access token (is this correct or is this a different type of access token?). This solution also exposes our web site's app secret (is this safe?).
So to summarize, what's a safe way in which I can retrieve the latest status update of a Web page from client-side without asking the browsing user to first log in to Facebook?
I can retrieve the latest status update of a Web page from client-side without asking the browsing user to first log in to Facebook
You cant do that without login.
And I guess access token is not exposed.
Maybe the smart trick here is to use a social plugin. The Like Box will do what you want, without any issues. But, it's not greatly customizable. Even so, it's possible to get it looking nice on a page!
It also skips any login issues you mentioned.
I found the answer after some Googling. In short, the answer is no.
And here's an excerpt from Facebook:
Security Best Practices
App Secret and App Access Token
The App Secret is used in some of the Login flows to generate access tokens and the Secret itself is intended to secure usage of your App to only those that are trusted. The secret can be used to easily create an App Access Token which can make API requests on behalf of any user of the app, which makes it extremely important that an App Secret is not compromised.
Therefore the App Secret or an App Access token should never be included in any code that could be accessed by anyone other than a developer of the app. This applies to all methods of code that are not secured like client-side code (such as HTML or Javascript) or native apps (such as iOS, Android or Windows desktop apps) that could be decompiled.
We recommend that App Access Tokens should only be used directly from your app's servers in order to provide the best security. For native apps, we suggest that the app communicates with your own server and the server then makes the API requests to Facebook using the App Access Token. For this reason, if your 'App Type' under Advanced Settings in the App Dashboard is set to Native/Desktop we assume that your native app contains the App Secret or an App Access Token in the binary, and we do not allow calls signed with an App Access Token to proceed. The API will behave as though no access token was provided.
If your App Secret is compromised, you should reset it immediately in the Basic Settings of your App Dashboard.

linkedin connectivity from my native iphone application

hello everyone i am new bie in iphone development i want to connect to linkedin from my native iphone application i am currently having no idea how to connect to it please guide me how could i do that
From http://www.zhangkf.com/2010/06/linkedin-developer-network-oauth-authentication/:
Yes you can get connected with Linedin withyour Native Application by
following simple steps:
You get an API key from LinkedIn. This is also called a Consumer Key in OAuth terminology.
You build a feature into your site that leverages the user's LinkedIn network.
Your user clicks on your UI to request to use that feature.
You make a call to LinkedIn to ask to use our authentication. This is called getting a Request Token.
LinkedIn replies with an OAuth Token indicating that you can use the authentication system.
You send your user to a LinkedIn URL. That URL includes the OAuth Token you got and a few other parameters such as a URL for LinkedIn to
return the user to after granting access.
The user grants access to your application by signing into that page.
Upon successful signon, LinkedIn will return the user to your site.
You will then make a call to LinkedIn to get an Access Token.
LinkedIn replies with an Access Token for the user. You use that Access Token for any API calls to LinkedIn to identify the user on
whose behalf you are making the call.
Or
Download the Code from here,you could get it.Just Provide your API Key and Secrete Key
http://github.com/ResultsDirect/LinkedIn-iPhone
Or see this for details:
http://developer.linkedin.com/docs/DOC-1008
This sample is 100% complete and working, just add your app key.
Built with the latest XCode 4.01.
Uses a UIWebView so you have the option of customizing the browser UI.
Uses JSON instead of XML, which is the preferred best practice for most cases
OAuth is heavily documented so you know what's happening
Tested with iPhone 4, iPad 1, and the simulator on iOS 4.x.
http://lee.hdgreetings.com/2011/03/iphone-oauth.html