Have created bot.
Have web site where user has been registered using facebook account.
From facebook manually building login flow :
https://www.facebook.com/v2.8/dialog/oauth?
client_id={app-id}
&redirect_uri={redirect-uri}
In the client_id i am sending my website facebookid.
What parameter should i use for redirect uri to make redirect to bot ?
Is it possible to get this work this way ?
Take a look to the SimpleFacebookAuthBot sample to understand all the pieces.
The RedirectUri must be something in your side that will receive the access code that later will be used to get the access token. Here is the implementation of that callback in the sample above mentioned.
Related
We would like to enable the following scenario :
user can login to a web application leveraging Azure AD B2C as the identity provider.
user can also interact with a bot on FB messenger (built on MS Bot Framework). He is asked to log in so that we can get him an access token for subsequent web api calls.
user has access to a persistent menu on his FB messenger where he can navigate to some pages of the actual web site and be logged in straight away.
I have the following question :
Could Azure AD B2C be used in conjunction with Facebook Account Linking ? Could not find any samples... What I am doing now : in the FB login button, I pass a link to one of my bot server controller method as a level of indirection. Then in this method, I get the redirect Uri and account linking token that FB is adding to the url and then do a redirect to my B2C policy url passing these 2 arguments in the state and my own redirect Uri (not the one from FB). This way, once authentication is done, b2c redirects to my bot where I rebuilt the callback to fb url. Any security concern with this approach?
Thx !
After looking at this post Facebook Messenger: get access token of linked account it seems that FB account linking is not really useful in regards to access token. I was expecting similar behavior as Amazon Alexa account linking but in fact it has nothing to do with exchanging an authorization code with an access token and having this token manage by FB... So I am just going to leverage the BotAuth code https://github.com/MicrosoftDX/botauth to store the access token in the bot state... I dont really care about collecting the PSID...
Regarding the last step of the scenario, we are investigating cookies reuse from the first authentication flow.
I have an application that uses the Facebook messenger api to send and receive messages through a Facebook page. This works great. Now I need to be able to have a user in my application link their page so that messages sent to their page will send webhooks to our endpoint, and also give us the ability to send messages through that page using an auth_token.
Is there any way to do this via api, or will each user have to manually create a Facebook app, generate an auth_token for their page, and set the webhooks url to our endpoint? I've read about messenger account linking but I don't think it's quite what I need, as I'm not just looking to request additional profile information.
After looking a bit deeper, I found that in order to do this you must perform an OAuth flow to get an auth_token for the user, then use the graph api to get an auth_token for the desired user's page. Then with the page auth_token you can make a POST request to the subscribed_apps endpoint, which will then add the page to the app's webhook events.
I am trying to get account linking work in my facebook bot.
According to this url FB Documentation developers are supposed to register an authorization_code and on succesfull login need to pass it as a param along with the redirect URI. But following is not mentioned
How to generate authorization_token ? Some specific method or a random number ? or is it the access token of registered FB Page ?
How to register authorize_token
You can use any authorization_code you like.
You don't need to register your authorize_token
I had made a Facebook APP for authorization of users on my Website, I am using OAuth Method. In My Site i have kept a Feature called "Login in With Facebook", when user clicks he gets redirected to Facebook with link
https://www.facebook.com/v2.2/dialog/oauth?client_id=<ID>&redirect_uri=<mysite>&state=<some random hash>&scope=
This looks fine enough, Now Facebook asks for Allow and when Users clicks allow, I get a URL Back on my site with a Special parameter called &code= .. It looks like
http://mywebsite.com/facebook&code=<some huge Random code>&state=<hash>
Now, i would like to know what exactly is code= parameter value says, is it the access Token of the User because i don't see special parameters like access_token=. So can somebody tell me what is code means in OAuth and is it same as Access token. ?? How can i verify it.. Please input your thoughts
Your app needs to exchange that code server-side for an access_token
There's specific documentation for this flow but essentially you take the code, your app ID, app secret, and the redirect_uri you used when opening the dialog initially, and make an API call to exchange the code for an access token
You then use the access token to make API calls on behalf of the user
We're hoping to create mobile phone applications for (among other features) posting video to a user's FaceBook page. However, using their API, it looks like we would need to open a web viewer and have the user enter their login credentials every time the application is used. We would prefer to store these credentials so the user only has to login once.
We could of course save the http login post and resend it as needed, but this breaks if FaceBook changes their API and I worry about their terms of service and using an unofficial hack such as this.
Maybe someone knows of another application that uses Facebook this way?
You should have been returned an oAuth token to use.
The new Facebook API has a service you can call with the old tokens and it returns you a new oAuth token.
You just have to add offline_access to your permissions. You do this by adding &scope=offline_permissions at the end of your authorization url. Then your oAuth token won't expire.