Facebook provides an OAuth authentication system for third-party apps but they appear to not provide any fine-grained user management capabilities.
This seems like a security problem. I need to be able to:
Disable delete unused accounts
Disable or delete abusive users
White list users for early access to a new app.
But AFAICT FB provides no tool to do this.
I can probably hook of of the OAuth ID and put an entry in my database for the first two requirements, but I can't figure out how to white list Facebook users.
Google is unhelpful because all the results are about let users manage applications their user account is attached to, and nothing about allowing apps to manage what user accounts they are attached to...
Usually is a bad idea to delete or disable unused accounts, because maybe user was inactive for a long time, this doesn't mean the user deleted or disabled his account.
On the other hand, you can't avoid malicious users join your app via facebook authentication. What you can do is to detect suspicious activities with your own implementation (after Facebook accept them to join your app), and suspend, block or disable those accounts on the server (blacklisting them), after the user has joined client-side and sent the required access-token (optionally request the ID) trying to be accepted by the server.
Whitelisting users may depend on the requirements of your application, you can check profiles data and reject those that doesn't provide the requirements that your app needs (remember to ask the user for the fields that your app requires, like public profile, pictures, etc; these must be accepted by the user before signing in).
Here's how you white list users for an app on Facebook:
Keep the app in Development mode
Add users from your friend network in the Testers role
When you are comfortable, open your application to the world.
AFAICT you cannot white list when your app is published, but that's the point of publishing. Also the whitelist is not a request-grant method, it's invite only.
The other requirement to delete or disable users you must handle yourself in your database. You would tie the user's status to the FB's unique ID.
Related
I am creating an app that only a specific list of users will use, and I need Instagram Public Content Access permission (and some other permissions) for them (I have my Instagram Business Account all set up and connected with Facebook page).
On https://developers.facebook.com/docs/facebook-login/review/examples/#screencast there is stated:
You do not need to submit your app if it will only be used by you or
by a reduced number of people. Any account listed in the Roles tab in
your App Dashboard, such as admins, developers and testers, can access
all permissions and generate a user or page access token.
So I just want to make sure, that it is completely fine in my case to keep my app in development mode and let my users use it like this (so I don't need to submit my app for review as long as all the users are going to have their role assigned in my app), and that these permissions are not intended just for a limited time period or only for testing/development purposes.
Thank you for any answer.
What you quoted there, is applicable to permissions your app is going to ask its users to grant to it.
Instagram Public Content Access is not a permission, it is a feature. You need to get it reviewed, if you want your app to be able to access content that the users of your app do not have admin access to.
https://developers.facebook.com/docs/apps/review/feature/#reference-INSTAGRAM_PUBLIC_CONTENT_ACCESS
Update: It appears that when there's no API or token, software seems to simply ask the user for their account credentials, and probably has to store this information. I guess it can't be a huge security risk, since people are willing to share this information with apps like Mint:
So, my conclusion is that it is OK to ask users for credentials to other services if they can be secured safely and the user desires the service provided.
Many, many apps use others apps such as Facebook in order to get data from it, usually to verify the user is real and to get relevant profile data (e.g. a dating app would want age, gender, etc.).
When using such an app, I do not have to enter in my Facebook credentials. The app simply opens up my Facebook/asks for permission to access it, and voila it's done.
There seems to be a lot of documentation for well known companies like Facebook, Twitter, and PayPal on how to do this.
But how is it done for an arbitrary website that requires a user/profile, e.g. this website: http://ae.com/web/index.jsp
Unsurprisingly, if I google for FaceBook, there's a heap of resources, and even it's own dedicated tag (https://developers.facebook.com/docs/facebook-login/access-tokens).
However, if I start googling for American Eagle, e.g. "https://www.google.com/search?client=safari&rls=en&q=american+eagle+access+token&ie=UTF-8&oe=UTF-8", I get nothing relevant at all.
If I understand your question right, that you want to enable facebook login for your website,
you still need to create a facebook app. then use the access tokens in your website. so when user clicks on login with facebook, the app will be asking for permissions and finally you will get the access token and you can use that in your site to log in.
Whenever a permission error occurs on facebook, developers are forced to 1. identify that this is actually happening, 2. ask the user to re-login.
This is a terrible user experience, and I'm surprised that Facebook even allows it to exist.
Is there any way to easily add a permission to a session? If not, are there any ways to make this easier?
So let's put it this way:
I authorized your app with only basic access (no permissions, perms or scope).
You automatically added the email permission without my permission
I started receiving emails (spamming?) from you which is the worst scenario OR
You have simply gained access to my email!
Facebook respects user privacy (actually it's a primary goal) and while they are trying to provide developers with the best technologies, methods and APIs to maintain the best experience there are things they can't avoid.
Each action your application want to make to the user OR on his behalf must be approved by the user and it should be clearly stated when the user approves it.
I've chosen the email permission for a purpose here, because the user may choose NOT to share his personal email with you directly (in which case Facebook will give you a proxied email). This is how far Facebook is thinking and trying to keep the user trust on them (before you!)
Just a small note, handling (any) API provider errors and adopting it's behavior is part of your job. And trust me, Facebook users have been installing millions of apps for years now and they are used to this behavior.
So try making your application as engaging as possible, make use of the Graph API, Social Plugins and Channels. And you'll perform just fine.
For a website for our sports club, it would be interesting to let our users log in with their Facebook account. If I'm not mistaken, this requires Facebook Connect? But if I understand correctly, this would let all Facebook users log in to our site. Obviously, I would only want to allow certain Facebook accounts to log in, i.e. the members of our sports club.
Is this possible? I have checked the documentation of Facebook Connect and their OAuth 2.0 documentation but can't find anything that points in that direction.
You're running up against the differences between authentication and authorization.
Facebook Connect (and other OAUTH2.0 schemes) is basically an authentication system. It says that the user is who they say they are, and by extension is a trusted system in and of itself. Thus you rely that they truly are who they say.
In effect though, AFAIK, you cannot limit Facebook Connect's ability to authenticate a user.
That said, your problem is not authentication, but rather it is one of authorization. Basically, you only want certain people to have access to the private portions of your site.
What this means is that you need (and this is really, just a single possible solution, and one which I thought up while typing this) basically a holding queue for all new connections, and then grant each connection a specific set of authorized privileges--or deny them those privileges. Yes, it is a manual process, but it's one that you could pre-fill based on a known list of Facebook Id's.
The short answer is that, Facebook Connect just tells you that Person A is Person A. What that means to your site, and access rights within it, is still up to you and your site.
I want to build a Facebook application that will be available only to those who have been invited to it or to a certain list of people (the list will be used for initialization).
How can I achieve that?
Depends what you mean by available. Anyone can install/authorise your application - all it means is that it'll appear in their applications list, and that your application has more access to their profile.
However, whenever someone uses your application Facebook will send you their unique uid which you can then filter on within your own code. Store a list of uids that you consider "invited", and only allow them access.
Probably the neatest way to do this is at the start of a session; the initial exchange between Facebook and your application involves Facebook sending your app a uid and authentication token, with which your app requests a session key - if you filter at that point and simply refuse to request a session key for any uid that's not on your list, you can programmatically restrict access.
There is so called "application sandbox mode". It is intended for development and testing though. But the meaning of this mode - you directly specify what users have access to your app(testers)