I am a fairly novice Symfony (v3) developer and try to implement a Facebook login on my web application with HWIOAuthBundle. I have already read upon OAuth2 and understand the basic workflow using Authorization Code. Furthermore I have studied Facebook's relevant on tutorial. Also I followed the complete HWIOAuthBundle tutorial. However, due to the very sparse documentation imho on HWIOAuth-side, I am still not able to grasp "all the magic" that is happening under the hood inside the bundle.
(1) I do not fully understand the example Twig Template:
(a) If I understand correctly, if response.status === 'connected' then Facebook has already returned an access token. In the template, a call is made to url("hwi_oauth_service_redirect", {service: "facebook"}). Do I assume rightly that the controller behind the service then loads the rest of the user information from Facebook and then calls the configured oauth_user_provider to start authentication process in symfony?
(b) If response.status is not equal to connected, then user is still not logged in yet (either not into Facebook or not into app). In the Twig template, again a redirect is being made to url("hwi_oauth_service_redirect", {service: "facebook"}). Why is again the same controller called and what does it do then?
(2) I do not understand all configuration parameters as shown in the HWIOAuthBundle tutorial:
(a) routing.yml:
What is the entry for
hwi_oauth_login:
resource: "#HWIOAuthBundle/Resources/config/routing/login.xml"
prefix: /login
good for?
(b) security.yml:
oauth:
resource_owners:
facebook: "/login/check-facebook"
login_path: /login
failure_path: /login
What is behind /login/check-facebook?
What is the purpose of login_path, what is behind /login?
1)a) No. The controller (link) ends up redirecting the user to an authorization url It redirects the user to the authorization url
1)b) You can be logged into facebook but you might have rejected the app in the past. FB.login asks the user again for permission (that's why the scope:email is added there)
2)a) it loads the login routes under a prefix if you check that file you'll see that it adds a route under the "/" path putting the prefix helps you avoid conflicts with your other routes.
2)b) it's not a real route it gets intercepted by the firewall to check user auth. If you've implemented a normal login html form it's the same as /login_check, it's where your login html form action is but there's no controller behind it. Symfony security is extremely flexible so it can get a little bit complicated to wrap your head around it, I recommend that you see this slides from Sarah Khalil where she explains it. login_path is where your normal login form would live, in this case it's where your facebook login button, and the rest of your twig template, would be.
Related
I am using external providers to login to my web app. (for example Google). In my custom userservice I get to AuthenticateExternalAsync and from there I want (if need to) redirect to Angular page.
public override Task AuthenticateExternalAsync(ExternalAuthenticationContext context)
{
...
...
context.AuthenticateResult = new AuthenticateResult("~/externalregistration", user.Subject, name, identityProvider: user.Provider);
return Task.FromResult(0);
}
i have html page
at https://localhost:44300/Content/app/externalregistration.html
How do I map externalregistration to this page?
At the moment I get an error
https://localhost:44300/identity/externalregistration#
HTTP Error 404.0 - Not Found
thank you
Mark
The page for the partial login has to be with IdentityServer - see that it's looking for it at /identity/ and not /Content/app/.
If from your user service you issue a partial login, then that web page is entirely up to you to serve up from the server. If that partial login page needs to know the identity of the user, then it needs to be hosted in the same path as IdentityServer so the partial login cookie can be read on the server. If you then want that page to be a SPA, then you'd have to have some server side code issue something into the browser for your SPA to know the identity of the user. If you want that page to be a SPA and make Ajax calls back to the server, you need to include some XSRF protection.
All in all, custom partial pages are easiest implemented as standard server-rendered MVC pages.
I have the following Auth object in my app:
App.Auth = Ember.Auth.create
signInEndPoint: '/users/sign_in'
signOutEndPoint: '/users/sign_out'
tokenKey: 'auth_token'
tokenIdKey: 'user_id'
userModel: 'App.User'
modules: ['emberModel', 'rememberable', 'actionRedirectable']
actionRedirectable:
signInRoute: 'home'
signOutRoute: 'login'
rememberable:
tokenKey: 'remember_token'
period: 7
autoRecall: true
Everything with authentication is working great. The problem I'm seeing now, though, is that when a user attempts to access, say, 'mydomain.com/#/articles/12' and has a valid remember token, accessing the application is tantamoun to starting a new boot of the application. The user is signed in via remember token, and actionRedirectable takes over and takes the user to HomeRoute instead of going to the requested resource.
I feel like I could get around this by manually transitioning the routes in the relvant login/logout controllers, but I wonder if there's a baked in way of solving this in EmberAuth?
ember-auth dev here.
This looks like a known issue. Try the fix in this comment from github issue #69.
In short, module order does matter. actionRedirectable needs to register the route (probably the article route in your case), before rememberable signs in the user and requests a redirect. Otherwise it would have nowhere to redirect to, and falls back to your home route as specified.
There have already been requests of fixing this unexpected behavior, but I haven't been able to find a fix yet - sorry.
I'm using the Javascript SDK inside a node.js (Express) App.
Connecting Users works fine, but the connection does not persist between page reloads.
Is this the default behaviour, or is the User supposed to stay connected in new requests?
Do I have to use OAuth token authentication and if so, how can this be done with the JS-SDK?
Inside the "Permission"-Popup, Users are already logged in with soundlcoud, though.
(just have to click the "connect" button each time)
Figured I'd share my answer for those who are unsatisfied with the current answers for automated oauth:
Retrieving access_token:
I had to define get and set cookie functions and then I use the functions to set and retrieve a function holding the access token. I'm not going to give these functions for conciseness but you can easily find them with a google search. I then use this line of code to get the SC access token (once the user has authenticated for the first time)
SC.accessToken()
Setting token:
So this is kind of just an elephant in the room in my opinion that for some reason no one has mentioned. How in the **** do you connect w/ SC using the access token? Do you set it as oauth param? On each call pass it? Well, after experimenting with putting the parameter in every single place I could think, I found out you have to do something like this:
SC.initialize({
client_id: '[removed for security reasons]',
client_secret: '[removed for security reasons]',
redirect_uri: '[removed for security reasons]',
access_token: getCookie("sc_lm2"),
scope: 'non-expiring'
});
//Where "sc_lm2" is the name of my cookie
Hope the helps! Took me a while to figure this out for such a simple thing
EDIT
Using PHP and Wordpress:
$json = wp_remote_get("http://api.soundcloud.com/users/[user_id]/tracks.json?client_id=[client_id]");
$soundcloudData = json_decode($json['body'],true);
(substitue cURL functionality if you're not using Wordpress). #krafty I assume you would just change the endpoint from "/tracks" to "/users" but I can't say I have ever really needed to grab anything but tracks using the Soundcloud API. Hope this helps, though I'm not sure I fully understand what it is that you are trying to accomplish (or rather, how exactly you're going about it) - are you trying to allow user logins? If you want to explain fully what you're trying to accomplish and the steps you're taking I'd be happy to take a crack at it.
Yep, this is the way to do it, officially. :)
For the Next SoundCloud site, we store the token in localStorage (until the user logs out, of course). In each AJAX request to the API from the front end, we put the oauth token in a request header:
jqXHR.setRequestHeader('Authorization', 'OAuth ' + the_oauth_token);
I am at this step in getting my app started in the documentation:
https://developers.facebook.com/docs/appsonfacebook/tutorial/#auth
In there is a code block that (supposedly) forwards the user to a request dialog asking permission to access certain bit of information about them. I've placed this code block into the PHP script that my canvas URL points to, and changed the $app_id and $canvas_page to my application ID and canvas URL respectively. Instead of getting the expected dialog, I receive this following error from facebook:
"An error occurred. Please try again later."
No other details about the error are present. I've tried some variations of the script, and have even tried loading up this URL directly just to see if that would work. Note that I've replaced YOUR_APP_ID and YOUR_CANVAS_PAGE with the appropriate values and made sure that spelling and/or punctuation are correct:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_CANVAS_PAGE&scope=email,read_stream
For the redirect URL, I've tried prepending it with http://, https://, and no prefix at all. All with the same result.
My question: is the example in the documentation broken, or is the oauth link provided in the documentation currently down? The vague nature of the error is somewhat frustrating since I can't tell if it's something I'm doing wrong or if it's facebook's oauth function that's at fault.
So, the problem was that instead of using the numeric application ID that facebook assigned for me when I originally created the app as the YOUR_APP_ID parameter in the OAuth URL, I was using the application namespace string. Facebook didn't understand this sort of request, and returned the generic error message.
Once I used the numeric app ID, the OAuth dialog popped up to ask permission to access my account, as expected.
The title really says it all. Under some (undetermined) conditions FB.getLoginStatus() just stops working and won't invoke the callback I gave it. The only interesting clues I've found are
FB.Auth._loadState is stuck on "loading" -- whatever is supposed to make it click over to "loaded" isn't happening
slight delays like putting in alert() calls tend to make it start working
Any hints at all about even how to investigate this welcome.
This usually happens for me when I am running the page under a different domain from what has been registered in Facebook. Typically this is when I am developing locally.
If you are running locally, you'll have to set up a local web server and then modify your hosts file to point the the registered domain to 127.0.0.1 in order to test on your local machine. Don forget to remove that line from the hosts file when you want to test it on the server.
According to:
https://developers.facebook.com/bugs/240058389381072
You cannot put your application under sandbox mode, or else it won't work. Go into your app settings, advanced, and switch it. This stumped me for a couple hours until I happened upon the bug report.
I had similar problem with FB API. It turned out, that my Facebook App was misconfigured. Please make sure that this is not the case for you. My problem was that my "Site URL" param in FB application was pointing to https, but I was using http protocol for development. Any call against FB api after FB.init was not calling my callback functions. So the first thing to do should be to double check App config.
Now, if some reason you depend on FB api but you wish to have a fallback option in case it;s inoperative - workaround with timer should be ok for you. Just set up a timer and disable it if FB Api gives you proper response. If not - fallback to some custom function which will perform some additional logic.
function callFbApi() {
var timeoutHandler = setTimeout(function() { requestFailed(); }, 1000);
function requestFailed() {
// When this happens, it means that FB API was unresponsive
doSomeFallbackWork();
alert('hey, FB API does not work!');
}
FB.getLoginStatus(function(response) {
clearTimeout(timeoutHandler); // This will clear the timeout in case of proper FB call
doSomeUsualWorkAfterFbReplies();
return false;
}, true);
}
If your application is in sandbox mode, Facebook acts as if your application is invisible to anyone who is not listed as an application developer. If you're not logged in, then it would stand to reason that your app is now invisible.
The callback will only fire if you're initializing with a visible application. Otherwise the following response is returned:
<span>Application Error: There was a problem getting data for the application you requested. The application may not be valid, or there may be a temporary glitch. Please try again later. </span>
For more info please see my comment on this bug ticket:
https://developers.facebook.com/bugs/240058389381072
Maybe you are using the asynchronous call. The same thing happened when I called FB.init with window.fbAsyncInit. All I did was delay the FB.getLoginStatus with a setTimeout function
window.setTimeout(checkLogStatus, 1000);
function checkLogStatus(){
alert("check");
// fetch the status on load
FB.getLoginStatus(handleSessionResponse);
}
It seemed to work after that
On the new version of the Developer app, you have to make sure to have put the correct URL you are using to access the application in the Website field under the
Select how your app integrates with Facebook
section.
Make sure the protocol is HTTPS and not HTTP.
I had a similar problem. The site worked every time when I was opening the browser, but fails when I tried to reload.
The cause was the missing "www" on the site name on Facebook configurations. Note that putting "www" (like www.yoursite.com) works on both situations (yoursite.com or www.yoursite.com).
As others have posted, you must be accessing your site at the same URL that facebook expects. For example if facebook has a callback "example.com" but you're browser has "www.example.com", that can cause this problem.
In addition, if third-party cookies are not allowed by your browser, you may also see this problem. Or you may see the callback erroneously reporting the user is not connected.
Just posting a situation I had were calling FB.getLoginStatus got absolutely no response.
My application is designed to run in a tab, and I only entered the Page Tab URLs on the app admin page, and not the App On Facebook (i.e. Canvas) URLs. The tab loads perfectly, but any calls to the FB JS SDK provoke no response.
In Facebook App Settings, go to Client OAuth Settings, look at Valid OAuth redirect URIs
Make sure you have listed all URIs which are the domains from which Facebook SDK is being invoked. For example:
I develop at localhost:5000 and deploy to Heroku. Notice the format: http://domain.name/