I want to integrate my application with Soundcloud for having the user statistics and so on, I use the client.authorize_url to send the user to approve the app on Soundcloud and I get the proper access_token but I want to know how to correlate between this access_token t the user that clicked on the client.authorize_url in my backend database (I mean I get the access token but how do I know to save it in the DB for the right user?)
Note: not a soundcloud dev.
There are two possible questions being asked here and I'm not sure really what you are asking.
If you are asking about storing data pertaining to a user that has connected through your app: Why do you need to store access tokens on your database? Access tokens expire, and they will change over time, even if it is the same user. It is better to store user-specific data (if needed at all) to a database referencing the users ID. That specific ID will not change. If you are talking about
If you are asking about the app itself, and how to reference that users information once they connect: This is done by using the method call on the SDK (not 100% on the name as I use custom implementations) for Me(). Check the documentation for more info. Hopefully this helps - if you needs some clarification let me know.
Related
I've spent the better part of a day researching this and thought I could figure this out on my own, but no luck.
Here's the situation, I have FB authentication in a mobile app. This is working fine. A user can log in and I can access the public profile data, etc.
The issue is that I would like to have NEW users or first time logins to create new records in my private database, because I am looking to store more than email, and FB id. For example, favorite items. I can also accomplish this easily enough with a post to (www.mywebsite.com/api/users/).
So, the REAL issue is that I don't want to have a route that simply allows people to add users to my database, willy-nilly.
Is there a way to pass the access token to an API route to ensure that a user can only add a new user-record to the db IF they have a valid FB login?
I've set up the famous "auth/facebook" route that is popular on the web which also works great, until I access it from my app. It then throws X-origin errors (I believe in part due to the callback route).
this post was similar, but still doesn't quite cover it.
Authenticating against a REST API with iOS client using Facebook SSO as the only login mechanism
Please help!
Thanks,
Wayne
After another two days of digging, I found a rather simple solution.
The facebook graph API will allow you to submit the access token to recieve basic user data.
So my solution is now this:
1. Use cordova-facebook4 plugin to authenticate within the app. (You can find details here: https://github.com/jeduan/cordova-plugin-facebook4
2. Send the FB id AND authentication token to my server route, like this: `myapiserver.com:1234/auth/facebook/<token>/<id>`
3. On the server side, send an ajax request to https://graph.facebook.com/me?access_token=<token received from the
cordova plugin>. This will return the name and FB ID as JSON.
4. On the server, compare the ID returned from facebook to the ID sent with the request. If they match, add the new user, if not, do
not add the user and return an error. Of course, the server will
not allow a new account to be added to the system if that FB id is
already in use.
At this point, it seems that the worst harm that could be done is for someone to hack another person's FB account, get their token and ID and THEN use that to create a user on my system for that person. Which seems pointless enough that I'm not going to worry about those attacks.
Please comment if you know of a better solution or I missed a security vulnerability.
Ref: How to get the Facebook user id using the access token
I am working on an app using Laravel that retrieves posts from facebook pages (using fb IPA) then make some operations on them, this tool can be used with no login or creating an account, and my question is:
how and to store the temporary data I get from the API since I don't have users knowing this app can be used by many people at the same time?
I guess you could solve this in several ways. I'm not quite sure what you do the get the data.
You'll need something unique to relate to the data. In case you login to the API using OAuth you could request the user profile of the user (example here using the Facebook SDK) and grab the user id or the email address. In case you do not login then you could use something like the session id.
I can't really figure out what exactly the facebook API and its services are capable of in terms of user management. Given that I would completely rely on facebook for registration and login, does facebook only provide the authentication and registration process and return me data to store in my own database or does it also itself store a list of already registered user accounts which I can query later on so that I could completely outsource user management from my servers?
If you only need to authorize a User, you don´t need to store anything. You only need to store them in a database if you need to identify returning Users, or if you need to use his data while he is not online.
There is no user management though, you can´t just get a list of all users who authorized your App from Facebook. That´s what you have to store on your own. Make sure to implement the possibility to remove a User from your database, Facebook offers a deauthorization-callback in the App settings for that.
I recently had to integrate Facebook authentication into an existing application, having its own notion of a User. I created a separate class, called FacebookAccount, which is connected to a particular user within my system.
I was initially saving the access tokens, and checking against them, rather than the Facebook id. Then, I realized by accident how unreliable access tokens actually are. They change over time, while the Facebook id is supposed to always stays the same.
Here comes the question - should I even care about storing the access tokens? If they are really transient, like, some sort of session ids, changing every now and, it makes no sense to store them at all, right? All I need would be the Facebook id. I will simply keep the access token in the browser session
You can use it for offline access if needed. Some applications (especially mobile) require Facebook login even when offline (Spotify for example.) They probably store the token and expiration date and allow you to use the app even if you are not connected to internet.
In your case, it might make sense to store it and replace old token with new one once it's acquired, just so you can re-use the API and have it passed from the database.
I'm trying to implement facebook connect to my website, and i have couple questions.
1: Is it possible to register user in my website using his current facebook email/password.
Let's say user clicks on link Register via facebook and then he have to give me permisions to access his password, email, etc... and after that is done i put that info in my own database and he will be able to login with that account any time he wants without needing to give me permisions any time in the future.
2: If that kind of registration is not possible, what's other solution would be the best for me? Because i need to somehow keep track of that user who logged in with facebook, because he can upload photos, send messages etc.
Anyways, i'm quite new with facebook and similar things, so i'm really lost here, hope some one can help me :)
EDIT Thank you all for wonderful answers it helped me a lot, now all that's left is to read documentation :)
Yes it is, it is possible to get the information of the user. But it is rather complicated, when you have never dealt with it.
First you need to send the user to the following link:
https://m.facebook.com/dialog/oauth?client_id=your-client-id&redirect_uri=xxx&scope=listof-information-you-want
Facebook will then return your client to the uri specified, if the user rejected it will give a reason. If it is not you will get an code in urlencoded format.
This code is needed for the following step, the request of the access token:
https://graph.facebook.com/oauth/access_token?redirect_uri=xxx&client_id=xxx&client_secret=xxx&code=xxxx
This will give back an access token, if the authorization didn't fail.
After that you can ask for the information you want:
https://graph.facebook.com/me?method=GET&metadata=true&format=json&access_token=access_token
This will include a facebook uid, which is unique for all users. Store it and you can discern between a register and login.
This is roughly the process for any oauth2 application.
Facebook will not ask repeatedly for permissions after the user granted them to you. So you can store the access token and reuse it for backend stuff and also use the same procedure you use for register for login.
You can never access the user's password from Facebook even with his/her permission, so the user will always have to authenticate via Facebook and have Facebook pass you the user id of the logged in user once authentication succeeds. You can store all kinds of other data locally, but not enough to authenticate the user yourself.
Once the user is authenticated, you'll have access to the user's Facebook user id via the API, which should be enough to connect all kinds of information to that specific user.
Facebook does not provide access to accounts when passwords are taken from your controls. It provides it own canvas for login information. Therefore you cannot use your first approach to store passwords in your databases. Check this out.
You can however store email addresses once user logins into his account using the facebook sdks. Check this out link for the example of C# SDK sample code.
You can use the Facebook APIs to fetch user email-id, photos, friendslist and other information and then play around accordingly.
You don't get access to the users password - only email if you ask for it.
Best way would be to have a table of users and their Facebook account id's.
If you want to allow users to sign up without Facebook then have a nullable field for their password and facebook id, and also have a field for username - which you could populate from Facebook if they register via that route.