Is there any way to get the APP_SCOPED_ID from a global url of a user (e.g. https://www.facebook.com/zuck)?
My service needs to proof that the global url belongs to the user logging in to my app through oauth. Unfortunately I only get an APP_SCOPED_ID and APP SCOPED URL in the form of http://fb.com/app_scoped_user_id/{app_scoped_user_id}. Using traceroute seems to hacky and the backend would need to be logged in to facebook. Is there any elegant way to do this?
No, there is no way to get the App Scoped ID from the global URL or the global ID - and vice versa.
Related
I am using FB js SDK to allow logging in on my platform. A user permits the needed access and I save his ID in my DB. The data is sent to my server via AJAX. Since the login is with FB, I can identify the user only by his ID.
Now, lets say I know someones FB ID and I know he has an account on my platform. In runtime, I can place his ID in the auth request and obtain a legit session of that user. How could that be avoided?
First of all, those are App Scoped IDs, it is very unlikely that someone would know the ID of a user who authorized your App, because it´s not the "real" ID.
That being said, you can (and should) send the User Token to the server and confirm the ID by calling the /me endpoint with that Token. You should also use appsecret_proof for API calls, more information can be found in the docs: https://developers.facebook.com/docs/graph-api/securing-requests
Facebook provides some documentation on the parameters of oauth login.
Login Dialog OAuth 2
Parameters are:
client_id = Your App ID
redirect_uri = Your App Website URL
display = page, popup, iframe, async, touch. How to display login.
scope = permission names. Permissions your app is asking the user to grant to your app.
state = a string included in the response back to your app.
response_type = code or token or both. Used in different ways depending on authorization flow.
Is there more information about different types of oauth functionality and the parameters that go with it?
I want information on how to structure the URL for oauth. I know of a couple of configurations. For example:
https://www.facebook.com/dialog/oauth?
client_id=YourAppID
&redirect_uri=The URL that you designated in your App Settings for your App
&response_type=token //Whether you want a `code` returned, or a `token` returned, or both
&scope=publish_stream // scope prompts the user for the type of permissions being asked for
I saw a discussion that showed this:
https://graph.facebook.com/oauth/authorize?
client_id=123456789
&redirect_uri=http://example.com/
&scope=publish_stream,share_item,offline_access,manage_pages
Note the difference's of the URL's:
/dialog/oauth?
or
/oauth/authorize?
What does authorize do? Does it GRANT permissions instead of ASKING for permissions? Where is the documentation on this?
https://graph.facebook.com/oauth/authorize is also to logging in the person -- Like authenticating a person and to take permission from person whether to access the requested permissions by app.
oauth/authorize is graph api call.
I think major difference may be when you want to build the login flow manually you should use /oauth/authorize.. else if you are using javascript/Apps api provided by facbook it uses /dialog/oauth. Apps normally need to confirm that the response from the Login dialog was made from the same person who started it. If you're using Facebook's JavaScript SDK it automatically performs these checks so nothing is required, assuming that you're only making calls from the browser. More over we can make graph api calls secure by applying appsecret_proof.
I'm trying to build a Facebook-authenticated native mobile app (Windows Phone) that connects to a web service I am creating in Node.
I'd like for a user to:
Log in to Facebook on the mobile app via a native UI or web window
If logged in successfully, create or access server-side user account data tied to that identity
Use the authenticated session to make subsequent authenticated requestsvto that user's data via the native mobile app
My question is: What's the best approach here?
Should I...
Log in the client to facebook locally in the mobile app and pass the Access Token to the node service, and then somehow map the user to my service data based on their facebook account id? That seems grossly insecure if I just pass that token in the URL.
Log the user in via a mobile browser window inside my app, and then redirect back to my Node service in the same window? How do I then make subsequent authenticated requests natively in my app?
Do something else entirely?
Sorry this is so open ended but this is the first time I have tied these things together and although there's a lot of info on each part I've yet to find something that describes the overall pattern / best practice for this design.
Your question is quite opinion based...but still I will try to help.
First of all, you can pass access token in url, its not insecure if you use https. Even if logged into facebook from your mobile app, than also its going to pass a access token in url only. If you mean having the token in http://something.com/access_token, than its not how its should be done.
If you look into the Oauth 2.0 draft you will understand that its done through setting a header Authorization with the value being the token and token_type. Take a good look at the draft.
As your solution I think its fine if you just use the first method mentioned in the question by sending the access token in header as I mentioned in your app and in turn authenticating that token from facebook on each request.
If you think this is just too long a flow for authenticating every request from facebook, than you can get access token by sending request from your mobile app to server and let the server handle the access token and store it in database which you can authenticate each request.
In any case take a look at Passport module, it has facebook and other auth built-in and should be sufficient for your needs.
My scenario is somewhat like this: A user logs into my website with his FB credentials. I capture his ID and the FB access token (say, a long-lived access token). He exits my website, and returns back later. However, this time, his browser has FB open with a different ID. Would I be able to load facebook details of this old id (with which he had registered on my site) using the stored access tokens? Is it possible, or would it result in a clash between the old and the existing FB id?
Correct me if I'm wrong, but he/she should stay logged into your website, regaurdless if his authID changes.
First of all, why would you want to do that? Since Facebook does not allow multiple user accounts for one and the same person, the only case where this would normally come into play is when another user is using my computer/browser – and why would I want you to read my info while that other person is using my device …?
Second of all, as long as the first user is still considered logged in to your site, it makes not much difference. But lets say some client-side method is called that updates the cookie information, then that’s where trouble might start. You might still be able to read the old user’s info, since you have his valid access token – but you’d have to use that token in your requests explicitly, and also address the account specifically, since the Graph API’s /me would point to the new user.
But as I said, I can hardly imagine a real, practical use case here …
My question is very simple
On this page: http://www.facebook.com/axefan?sk=app_116526158422952
How did they do to show the names of the connected user, without asking permission? I thought it was not possible to have UID of a member without going through auth?
You don't need an access token to get the name of something in Facebook. You just need the id of whatever it is you are checking (Person, page, event, etc).
For example, you can check these without appending any access token to the URL:
http://graph.facebook.com/595869823?fields=id,name
http://graph.facebook.com/292378408255?fields=id,name