I am working on API Integration Tests. In particular, I am trying to test the user's ability to login to our application with Facebook. Prior to signing in with our API, the user must sign in with Facebook on the front end of the application via the steps listed here. Since the tests going to be backend integration tests, I would like to handle the entire login in flow solely by leveraging Facebook's API. I can't seem to find any docs that illustrate a methodology to do what the these docs allow the front end to do. Does anyone have en experience with Facebook's API, and know how to simulate the login flow without actually using the login dialogue window?
Sign In Steps
Log in to Facebook
Log in to our API with Facebook returned authentication credentials and redirect uri
Their test user capability should help: https://developers.facebook.com/docs/apps/test-users
It'll allow you to create & sign into a test account, then destroy it afterwards. It won't be limited to normal login & visibility restrictions either.
Related
Facebook recently released a step-by-step documentation for using a GrapAPI to manage Instagram messages. To obtain the access token to use it, it's necessary to create an application in the developer center, enable login via Facebook and include the permissions "instagram_basic", "instagram_manage_messages" and "pages_manage_metadata" but to activate these options it's necessary to submit various information for approval as statement of how the integration works and descriptions of the usage flow. I don't have access to this information because I can't develop an integration without it being approved.
It's not possible to use the provided test user as the pages raised by him cannot be linked to Instagram accounts.
Tutorial followed: https://developers.facebook.com/docs/messenger-platform/instagram/get-started
Someone with some experience with the Facebook API could give me a light on how to obtain the token with access required and proceed the tests?
I have done the tutorial as well, I faced the same problem. To enable instagram_basic, instagram_manage_messages and pages_manage_metadata without app review you need to create a test-app. For test apps all permissions are granted without review.
Instructions on how to create a test-app
Another usefull tipp: If you are wondering why you need to implement facebook login to access the instagram messaging api, the logic is the following: You need to implement login to then use your own implementation to logg in your own account and obtain the page access key that will let you do api calls to the instagram messaging api. This process is obviously overkill and instagram is working on a way of getting that access token through the developer dashboard.
For now to obtain that access token you need:
implement facebook login as a simple html website and console log the response. Be sure to add the required permissions to the data-scope attribute of the facebook login button:
<div
class="fb-login-button"
data-scope="public_profile,email,instagram_basic,instagram_manage_messages,pages_manage_metadata,pages_messaging"
></div>
deploy to a website that has https enabled (logging in from
localhost will only work if you use a tunelling service like ngrok).
Open your website that has facebook login implemented and logg in with your facebook account that is also linked to the target instagram account and also is admin of your test-app.
get the access token from the response to call the other API endpoints.
Everything I have read (e.g. https://api.slack.com/docs/oauth) makes it seem as though I can only build an app that integrates with a Slack team I manage. E.g. I have to create my Slack Client ID .. etc ... and then I can oAuth users for my team.
What I want to do is allow my app's users to login to my app using their Slack login (for their Slack team I do not control or have access to.) I don't want to force my users to generate a Client ID to use my app. I want them to login the same way Google Login or Facebook Login works.
The closest thing I have found is a "login with slack" HTML button, but I'd like to do it in iOS using Swift.
Is that possible?
Sadly, that's not possible. For google or facebook, the way authentication works is that they provide you a mobile API which handles the communication between your app and their web service. So you task is simply adopt that API, make simple function call and retrieve information for user from the API. For example, the facebook button is provided by the API.
However from a look at slack site, they only have RESTful API documented. So in this case, you have to handle the passing and storing of parameters by yourself, and send HTTP request manually. You can have a look at Alamofire framework, which is the best choice for making HTTP request. Basically, you have to send needed parameter with the specific url though HTTP request to perform a log in action, and you have to parse the respond data and then see if the login is successful or not, etc
Thanks to some help from friends it looks like the answer is yes.
You must first make sure you "Distribute App"
Then set up the permissions you require and "install app" (which is a bit not "smart" since you can accidentally add conflicting permissions and get an error when trying to install).
Once that is done you will get an Auth Token and can make requests for any user to login using oAuth.
You can also trigger a sign in request like so:
https://slack.com/oauth/authorize?client_id=[client id]&scope=identity.basic
Edit: For future Googlers, Slack now also provides a specific documentation page for this type of OAuth grant/login: Sign in with Slack
I'm running a Classic ASP website, that has its own user authentication and login mechanism. For example, In order to remember a logged-in user, ASP creates an encrypted cookie and a 20-minute session for each connected user. If the 20 minute session is elapsed, the server revives the session from the cookie saved previously, and saves some data regarding the user to the database.
I want to to be able to allow users to connect with their Facebook or Google identity, but the mechanism used by Facebook or Google is based mainly on Javascript and on client-side code.
How Facebook or Google login can be used while maintaining server side code in ASP? (So that the ASP server can still manage the session and save data regarding it, for example whenever a session is revived)
For me somehow it seems that it may become less secure to use client-side authentication as the code may be altered easily. Isn't this the case?
If I use client-side javascript and log in with Facebook, how would I update the user data retrieved from facebook back into my database, for example the user's first and last name?
For me it sounds that it should be a "server-to-server" communication (between my ASP server and Facebook's or Google's servers) and what they propose is a "client-to-server" communication ... Any ideas how this can be done?
Any help or explanation would be very much appreciated! Thanks.
I'll try to address your Facebook-related questions one by one. However, I will not give you an implementation or any ASP-specific feedback, but only a rough approach. Additionally, I recommend that you study Facebook's documentation on Facebook Login extensively to further your understanding of the matter.
1. Facebook documents the server-side OAuth 2.0 flow in their Manually Build a Login Flow guide. Basically you redirect the user to a specific FB URL that (in the parameters) tells FB to render the "Login with Facebook" dialog, and which permission scopes to ask for. Once the user approves the Facebook Login for your webapp, they will be redirected back to your web app, e.g. with an OAuth token in the query string, that your webserver can then exchange for a user access token.
Once you obtained a user access token, you could e.g. store it in your web app user's session.
2. I don't know what you mean. Client side apps are fairly secure. Perhaps you can convince yourself about how secure JS apps are when reading about things like CORS.
3. If you only use JavaScript (e.g. Facebook's JS SDK) and you want to store e.g. app-scoped user IDs on your server, you need to expose an endpoint on your server that your JS application can submit that kind of information to.
4. You state
what they propose is a "client-to-server" communication
Who are "they", and where are the proposing this? The resources I linked to in 1. should explain how you can use Facebook login in a pure server-to-server way.
I need to post message on a certain FB page as a owner by cron, using php and ZF 1.1.X. For this small issue, I don't want to create a full OAuth stack. Is it possible to communicate with FB API (it's desirable, PHP SDK for FB) without it, such as twitter with his precreated access tokens (Access token, Access token secret)?
As long as you need an active user access_token to retrieve desired data this is not possible to skip OAuth flow.
Without authenticating user you only have application access_token (in old format APP_ID|APP_SECRET, but it's still works) and only limited access to most of Graph API endpoints and Application settings.
Actually there is nothing hard in implementing the user authentication with OAuth flow and it is completely transparent with usage of PHP-SDK.
Just look at the sample code in documentation for server-side authentication
Yes, you need to build an app and then authorize the page via the app while requesting the manage_page permission.
You should make yourself familiar with the Server Side Auth process as well.
I'm developing an application that the only way to access the protected pages is through the Facebook's authentication. In this cenario, I need to login with a Facebook's test user and made my tests.
I'm using the PHP-SDK, so I need to figure out a way to login with an user test only with PHP (without javascript) and without a browser and cookies (because my tests runs only on command line, emulating a browser, without selenium for example).
Ideas about how I can test my protected pages that the only way to access is using a Facebook's user?
I am not familiar with the PHP-SDK but on a more general level I would stub out Facebook.
Your tests don't need to depend on a third party service: the build might fail because Facebook is down and running your test will be slow as it needs to wait for Facebook to report back each time.
Can't you stub the Facebook endpoint and send your own response back (one that looks like the Facebook one)? You could do this with an HTTP faker. For Ruby I would use something like FakeWeb but there are probably some similar tools out there for PHP.
Facebook now has test users, which can use most of Facebook except for interacting with real users. You can create them in your developer control panel or via the Graph API. There's even an API call that allows you to automatically create friendships between your test users. https://developers.facebook.com/docs/test_users/