We have a Proof of Concept requirement that from a static URL posted in an advertisement on Facebook, we identify the unique individual that clicked our link and has landed on our page (external to Facebook).
This static advertisement will have no coding associated with it (that is part of our challenge - and will just redirect the user to our site).
Is there anything within the stream of data that is sent in a normal redirect or available to us in anyway that would allow for the following:
Identify the user that clicked
Allow for a callback to Facebook to
get any unique user information
Not sure it matters -- but we are looking at a .NET C# site as the landing page...
You can´t identify the Facebook user in any way without authorization. So when he visits the link, you need to implement authorization and you can check if it´s the same user with FB.getLoginStatus, for example. That function of the JavaScript SDK refreshes the Access Token so you don´t need to redirect to another page when it´s not valid anymore.
Here´s a tutorial, just in case: http://www.devils-heaven.com/facebook-javascript-sdk-login/
But remember: Nothing without authorization.
Related
I'm serving a list of events to my clients’ website. They include it via php/curl (rather than iFrame), so they can fully customize the CSS.
However, this means that I can’t use the Facebook API to find out wether a visitor of my client’s page is logged in to FB: The FB-API call needs to be signed by an application and shall only be called from the domain the application is associated with. (That would be my server’s domain, but the requests are coming from my client’s page.)
Back in the old days, accessing a user profile on FB would issue a 404 error, if not logged in.
<script type="text/javascript" src="https://www.facebook.com/pianojoe" onload="enable_social_links()" onerror="not_logged_in_to_facebook()" async="async"></script>
That was convenient, but FB took care :-/ of it.
I want to show FB-links for the events in my calendar only if the page visitor is logged in to Facebook.
My question: How do I find out if a page visitor is logged in to Facebook if I can’t determine the domain of the referring page beforehand, and therefore not use the Facebook API?
The Facebook PHP SDK has a (relatively new) method called getLoginStatusUrl.
It creates a simple URL that you redirect the user’s browser to, which takes them to Facebook, where his login status is checked, and then redirects them back to one of three different URLs of your app, that you can specify.
ok_session is the one that you would be mainly interested in here: “URL to return if the user is logged in to Facebook.”
(The other two are no_user for when the user is logged out of Facebook, and no_session for when Facebook themselves can’t figure out the user’s status, because there’s no user-specific FB cookies whatsoever set in their browser.)
So you could set ok_session to an URL of your application with an additional GET parameter like ?logged_into_fb=true (the other two options, if not specified explicitly, will then only redirect back to your app’s base URL) – and that way, when the user is redirected back to your app with that parameter, you know they are currently logged into Facebook.
Whether or not you are actually using the FB PHP SDK does not really matter – by looking at the source code of the method it’s relatively easy to figure out how the actual URL is build, so you could easily adapt that and use it without the SDK as well.
I'm building a Page Tab application that will allow Facebook users to make purchases through our client's FB page directly. In order to do that, once the user arrives at checkout, it must be authenticated and the user must be logged in in order to obtain their e-mail address.
However, when I try to authenticate the user via the URL:
https://www.facebook.com/dialog/oauth?client_id=APP_ID&redirect_uri=REDIRECT&scope=manage_pages%2Cemail
Instead of staying within the iframe, it redirects the entire Facebook page, making it impossible to easily authenticate the customer and continue on to checkout.
I'm referencing a similar app that does exactly what I need, but they seem to be using FBML which, to my knowledge, is being deprecated in 2012. If using this URL is an incorrect way to authenticate a customer in a Page Tab app, what would be the proper way to do this without the use of FBML?
Why are you using authentication dialog via that URL? How about using javascript SDK function, FB.login() instead?
http://developers.facebook.com/docs/reference/javascript/FB.login/
I'm new to all this. This is what i'm after and i'm sure it's possible.
I've got a script where people can register/login in to as members. What i'd like to do is tie it in so that it just uses Facebook users details for the registrations. I've managed to set it up to sign up and and complete a registration using a user's name and email.
What i'd like to do now is automatically log the user in if they're logged in on facebook, is this possible or will they need to click a login button that then takes them to their page? If they need to click a button to login, how do I go about getting the button to take their facebook details and log them in? Also what happens in regards to passwords on my site? Is that stored in the app somehow?
Ideally i'd like to use the popup version of verification rather than the iframe that i've got set up at the moment.
Cheers in advanced for any help for a n00b!
This is in fact possible. Although I for my part was never a fan of such things here's some human-readable (simplified) theory:
Facebook uses a system called OAuth ( http://de.wikipedia.org/wiki/OAuth ). That means, when you want to have the user login onto your site using Facebook you'll of course need to provide a button/facebook-login-frame (see documentation) that says "Log me in with Facebook" or so. You then access Facebooks API (more here: https://developers.facebook.com/ ) and basically tell Facebook who you are ("Hi I'm website XY"). While that happens your user is redirected to Facebooks "permission-landing-page". On that page he needs to confirm whether he is fine with your website accessing certain information (like his name). If he confirms your website receives an access-token granting you access to a subset of his user information which you can then use to personalize his expeirence on your website.
Check out facebooks documentation because they explain exactly your usecase in detail.
(here: https://developers.facebook.com/docs/authentication/ )
PS: You'll of course never have any access to his Facebook login/password. That's kind of the idea behind "delegating" the authentication via OAuth to Facebook. Facebook only provides you with an access token (bound to that particular user who logged in and granted your app/website permissions)
I've been trying to figure out a way to have my iframe Facebook app (built in PHP) work without requiring separate authentication methods. I am already logged into Facebook, but for some reason I still see all these Oauth notices from the example in the PHP SDK.
The only data I need is publicly available even without them "adding" my app. I am looking to collect their Facebook ID (since this is a contest, we need a unique ID for tracking), their name and (optionally) their email address as well.
The problem is, I cannot use the API to fetch the public information unless I already know their Facebook username. Any ideas on how I might be able to get their logged-in username or public handle so I can then fetch the rest of the information?
For whatever reason, Oauth is driving me completely insane with Facebook today.
Sidenote:
I did manage to technically get the Javascript SDK operational, which fed some information to PHP for use. The only issue there is that once I login, I don't see the data. If I refresh...then it shows up. Unsure why the refresh is required, as I wouldn't expect a user to actually have to hit refresh in order to proceed with the app.
I guess you are a bit confused here, Facebook will NOT share the username, id, full name or email without the user explicitly authorizing/allowing your application (and in the case of the email, requesting the email permission!).
Read the official Canvas Tutorial for more information:
In order to gain access to all the user information available to your
app by default (like the user's Facebook ID), the user must authorize
your app.
I have a website based game that has login accounts that I want to integrate into facebook (not facebook connect, I want to use an iframe canvas page).
My question is how can I authenticate a user and how can I check if a user is coming from facebook or directly from the site.
I have been playing around with require_login() using the PHP library. My main fear is how can I authenticate that the GET parameters from facebook are indeed from facebook? If I can do that then I can store their facebook session id and Uid in a session as login credentials.
My other worry is that the GET variable may get passed as a reffer to an external link.
Finally... I find in some browsers that with require_login() that it breaks out of the iframe and gets into an eternal look continually adding additional authtoken's to the URL.
Hope someone can help
Yes you can create a app that works independently as well as facebook app. For the facebook you will have to use the facebook's iframe method to work under facebook.
You can verify the request comes from Facebook by verifying the signature in the same way that Facebook checks that API requests come from your application. With the PHP client library you can use the validate_fb_params() method of the Facebook class to do this automatically.
Bear in mind that session key's are temporary so the user will keep needing to authenticate with Facebook through your application otherwise the key expires within the hour. You may also run into a 3rd party cookie issue with Safari if you're hoping to store the session key in a cookie, and you'll need a compact privacy for quite a few other browser/privacy setting combinations as well. Something like:
<?php
header('P3P: CP="CAO PSA OUR"');
?>
in an include would do it.
And yes: the session key may be passed to external sites as in the referrer properties. It's just one of the security flaws that the platform currently has. The only way around that is either to redirect all external clicks through a handler which removes the referrer, or redirect on page load to strip the fb_sig_ss parameter out.