I have a working Facebook web application built with angular that uses the Javascript SDK in order to login into my app, and that works fine on desktop/laptop computers.When I tried to login with my smartphone, it would not open the login window.
What would be the best approach to bypass it?
I was thinking about using the manual login flow with OAuth and then pass the user token from the server to the client in order for it to make the regular calls.
Would that be a good strategy?
If so, does it makes sense to set a user token in the Javascript SDK so I can use it?
(e.g, FB.ui(), FB.api() calls)
Related
so i have a meteor app, and i'm using facebook login (and google etc) for user authentication.
and i'm using MeteorRider which is basically "hijacking" the DOM from my meteor app, this way i get also a phonegap app.
So when using web and clicking on the facebook login, its working great.
but when using the phonegap app, its not working. its making an ouath call (opening a browser and do all the process but does not automatically close the browser and bring up my app) but then redirect to my app in the browser.
i'm still trying to figure how the two works with each other.
do i need to do this authentication using phonegap api or should i handle it using meteor api?
I use this for any oauth requirements in phonegap. https://github.com/oauth-io/oauth-phonegap
It handles closing of the browser etc.
I just released a package to fix this. It uses the InAppBrowser plugin to load the popup, listens for the auth token, closes the popup and logs in/creates account.
https://atmosphere.meteor.com/package/phonegap-oauth
I currently run a web application that has its own native registration and login system.
Now I would like to add Facebook login to my site, and integrate it with my native registration system. Like check the email returned from Facebook, and add the user to the database with a flag indicating he is a Facebook user, and then just authenticate the user.
While I have some idea of how to implement the system, I would like inputs on whether I should use the Facebook SDK for JavaScript, or the server-side SDK. I see that Facebook recommends the JavaScript SDK for WebApps. However in case of integrating with a native system, will it be the ideal choice? I believe the JavaScript SDK would work good when the login is purely Facebook, and is meant for simple authentication-required views.
Can someone who has worked with Facebook login help with this decision?
You are right integrating Facebook Javascript SDK will not be a good choice for Native log-in system as in any case you will have to pass some input(userid) to your server side program like facebook ID/email id to synchronize the user with your native system, from javascript. Which will be a 3 way channel > Facebook - JS(user browser) - Your Server, this makes it less secure as someone with user id can ping your server and it will log the user in.
I was also working on same scenario where I need to enable users to login with Facebook as an option. However a native login system was deeply integrated with the application. So I used PHP SDK inspite of JS SDK.
I noticed that the Windows desktop Spotify application asks me for my facebook username and password in the login screen. I am wondering what happens behind the scenes.
When I change my fb password in my browser I have to use the new password in the Spotify desktop app login screen. There are even situations when the Spotify desktop application shows me a fb popup where I have to grant permissions for Spotify itself.
I know that Spotify uses an embedded Chromium browser engine to do all the heavy lifting. But isn't it against Facebooks TOS to do it that way?
I mean, does Spotify posts my username and password to the facebook login.php and intercepts the result page to get my cookie? Is there a documented way to handle a login to facebook on behalf of the user in a proper way?
No, they are using an old and deprecated REST API method called auth.login:
https://developers.facebook.com/docs/reference/rest/auth.login/
Obviously I can't stop you using this in your own app, but given how old that API is and how fully REST API is now deprecated, it'd be a bad idea to rely upon it.
Instead, for Windows desktop apps, I believe Microsoft offers a Facebook C# SDK which will contain ideal methods for authentication. I'm more familiar with their newer methods that are offered for Metro Apps called Web Authentication Broker.
These pretty much just load a web frame inside the app, get the user to login to Facebook, then show the Permission Dialog (if required). From there, the app can store the UID of the user and presumably a long-lived access_token that they received upon auth. This way, they only need to ask the user to login again once every 60 days.
There are other device-based authentication methods offered by Facebook, but most are still in private testing, the only one that is currently recommend for desktop apps is stated on this page under the heading Windows, OS X and Linux native apps (at the bottom of the page).
Update December 2013: Because the Facebook Login docs have changed significantly since I wrote this answer, I'd like to point out a couple of new additions:
Manually Building a Login Flow details the steps that desktop apps can take to login users. What is new here is that Windows 8 apps can now use their deep-linking ID in the redirect_uri of the Login dialog, meaning it'll multitask back to their app from a Login Dialog when completed or cancelled. This is an improvement from the previous WebView setup, because a User's default browser will likely have them logged into Facebook already.
Login for Windows Phone is the special guide for Windows Phone 8 apps to use.
So I'm trying to build a Blackberry Webworks that integrates with Facebook.
I'm trying to use the Javascript API provided by Facebook, but I'm having some issues with logging in.
The typical "FB.login" function creates a popup, and this doesn't show up on a Blackberry so using that is no good.
Another issue is that I have no idea what to set as the redirect_url for the oauth login, because Webworks pages are referenced locally (local://index.html), and the API rejects this as a valid url. (I've also tried just index.html, but this also causes an error)
And finally, I have no idea what to use for the Mobile Website URL on the Application settings and not sure what other settings to use. Since users will be coming from a Webworks app, Facebook is rejecting login requests if I try to call the oauth url directly. (191 Error).
I figured out the only viable way to do this is to have a web server that will go through the OAuth2 authentication process documented by Facebook.
What you can do in Blackberry is open a new window or to use a Blackberry BrowserField that links to the web server, that way, your page will be able to get the oauth token that you can use to make Graph API calls.
I am building a mobile app with jQueryMobile and I intend to deploy it onto iPhone thanks to PhoneGap.
My question is : how can I authenticate myself with Foursquare using the OAuth2 protocol in my jQueryMobile app ? One solution would be to use the useragent flow of OAuth2 but this would force the iPhone to launch Safari and thus not stay within the app. Are there any better solutions than this ?
For an iPhone-based or client-side application like you would have in PhoneGap,
Foursquare recommends one of these methods.
If you have no substantive server code, you can embed a web browser and use the token flow, redirecting the user to a dummy page on your domain. You can then grab the token off of the URL and close the browser. We have sample Android and iOS code for your reference.
If you have a server as part of your application, you can use the server flow above, possibly in an embedded browser. Similar to the Facebook API, you can add display=touch to your authorize or authenticate URLs to get a mobile optimized interface.
An alternative to the above is to use the server flow and an external browser, but redirect to a custom URI handler that brings the user back to our application. You can embed the secret in your application and exchange the provided code for an access token. PLEASE take steps to obfuscate your client secret if you include it in released code, and be prepared to rotate it if needed.
https://developer.foursquare.com/docs/oauth.html
This could probably be handled with the ClientBrowser plugin for PhoneGap or just adapting the sample code they have provided into PhoneGap plugins.
One of the core intentions of OAuth2 is to not allow browserless authentication flow like we did with XAuth in the past. Service providers want consumers to see what permissions they are signing off on, and want control of that process.
I'm not very experienced with Phonegap, as I'm a native developer, but if there's a way of instantiating a UIWebView and showing it to the user, you could at least keep the web interaction 'inside' of the application. Given phonegap is basically showing a UIWebView this should be possible. It is possible to examine the source of the html within a UIWebView using
- (NSString *)stringByEvaluatingJavaScriptFromString:(NSString *)script