I'm implementing the FB login/logout in my web apps. Each of my web apps serves a different purpose thus having different domains. But they share the same user database.
User's Facebook sign-up comes from one web app. I pass the access token returned by the client side JS-SDK login function to the server. At server side I used the Facebook email and ID (retrieved with graph API /me) as the user's username and password, respectively.
At first, I created a unique Facebook App for each of my web sites. In this case, in my other web apps, when logging in with Facebook, the graph API /me returns a different ID for the same user, so the user cannot login.
It turns out that the response.authResponse.accessToken returned by Facebook login is also different. Then I tried to add all the domains under Settings->Advanced->Valid OAuth redirect URIs in one Website App, but the access token and ID are still different for each domain.
I wonder what is the problem here. Why Facebook returns different IDs for the same user. And why the access token is different even if the web domains are all in one App (same app ID and secret). Thanks.
As #WizKid suggested here, you need to map users between different apps. Usually you will need to create a Business Manager and add your apps to that manager. Then you'll have access to all the apps' info, including their scoped user IDs, by calling API /me/ids_for_business
Related
In my mobile app, users are allowed to login over facebook (standard azur mobile service facebooklogin).
Now i want to take that to a next step. Based on the users facebook login, i want to access his profile over the facebook .net sdk.
After the login i want to call a "getUserInfo"- Method which returns the info from facebook. So the whole facebook access should happen on the backend side.
Is this possible with azure and if so, whats the best way to do so?
In your Mobile Services .NET backend, you can always get the Facebook token by calling (within a controller):
ServiceUser user = (ServiceUser)this.User;
FacebookCredentials creds = (await user.GetIdentitiesAsync()).OfType<FacebookCredentials>().FirstOrDefault();
string accessToken = creds.AccessToken;
Then you can communicate with the Facebook Graph API using that token.
If there is a particular set of capabilities you want to be able to access beyond the public profile, you may want to add permissions to your login request via the MS_FacebookScope application setting. The value is just a comma-separated list of the scopes you wish to use.
You may find this blog post helpful in explaining the above in more detail:
http://azure.microsoft.com/blog/2014/10/02/custom-login-scopes-single-sign-on-new-asp-net-web-api-updates-to-the-azure-mobile-services-net-backend/
I want to enable my users to associate their user account with a Facebook or Twitter and allow them to login on my server with their Facebook/Twitter account instead of using the classic username/password. Basically the same idea as the login in StackOverflow.
My current approach for Facebook:
The client application will perform OAuth and then use their Facebook id to login on my server. Based on this Facebook id, the server will lookup the associated user account and perform login without asking for username/pasword. However just relying on the Facebook id to login is not very safe, as that is the same as using only a username to login instead of username & password.
So to make sure the Facebook id is authentic, the client application will also provide a FBSR (Facebook Signed Request, see: https://developers.facebook.com/docs/facebook-login/using-login-with-games/#checklogin) with the login request.
The server will check two things with this FBSR:
The Facebook id in the request must be the same as the one hidden in the FBSR
Server will recalculate the signature part via the Facebook secret key. This must match with the signature in the FBSR .
Normally the server should perform a check with the Facebook server with the oauth_token to be 100% sure of the users identity. However I need skip this in order to avoid dependency to Facebook server on our server.
I have 2 questions:
1) Is this above approach good enough? Can it be improved (without server-to-server communication)?
2) I want to do the same with a Twitter account, but the their signed request is different then Facebook. It seems the Twitter user id is embedded in the oauth_token, so my approach may work with a little tweak, but I am not sure whether the user id is always part of the oauth_token and cannot get this confirmed after searching the internet.
I think that your approach is good enough and don't see any way to avoid server-to-server communication with a signed request. Bear in mind that, with Facebook Graph Api Version 2, in order to protect the privacy of the user, Facebook will send out not the real user id, but one generated for apps. It will also be possible to enable anonymous login.
I am not sure of what you're trying to do with Twitter, and why you compare the APIs (they're quite different). The Twitter login, also know as Sign in with Twitter, used for any website or mobile app, should work for you too.
I created a test app on Facebook.
I chose to request access to user events for API calls.
I then connected my user properly through api, I can get user details by oauth key for this particular user, but I can't access user events.
From the tools that FB provides, I seem to be able to access the user events, but the oauth key used in the call is different from the one FB gave me back for this user.
What did I miss?
Realized that specifying scopes only within the app setting panel wasn't enough.
For each new oauth call for users, need to specify the list of scopes you want to authorize the key for.
All working good now.
I know that facebook allow me to specify multiple domains for my app.
But in the "Website with Facebook Login" i can only specify one url.
Is it possible for me, to authenticate users on domain.se, domain.dk and domain.net with the same App ? Or should i still create one app, for each domain ?
It is technically possible to use Facebook Connect on multiple domains, there are some limits (5 domains max).
So the key to doing this is adding all domains in the App Domain field under your app settings.
The PROBLEM, however, is that Facebook only lets you add domains that are derived from your Canvas URL or Site or Page tag URLs, so if you try to enter anything else you get an error that looks like this:
The SOLUTION is to create App on Facebook, Website, and Facebook Tab using the ADD PLATFORM button and then put in URLs that point to your other domains. Here is an example of what I mean:
If you use a unique domain for each field you can max out with 5 different domains. I have tested this technique with up to 3 domains, but i think it should work for all 5.
Note: Facebook admin features change from time to time, so all of this is subject to change
As long as you listed all the desired App Domains in application settings you should be able to authenticate users on any of them.
"Website with Facebook Login" is really only intended to be used as link to your site/application.
Update 2 (July 2016):
App domains must match the domain of the Secure Canvas URL, Mobile Site URL, Unity Binary URL, Site URL or Secure Page Tab URL.
Update (December 2013):
At the time of writing original answer it was possible to list any domains in application settings but from that time the UI of Application Settings (as well as way of handling Application Domains) changed at least couple of times, at some point you could only list domains that derive from one of application's canvas pages.
As of December 2013 it is possible (again) to list domains that do not derive from application canvas URL.
Assuming your domains are being served by the same web server and you have access to that web server, you can use the manual login procedure: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow to login from as many domains as you wish.
Assume your domains are site1.com,site2.com.... Instead of using the Facebook javascript API, you will simply place a plain old Log In with Facebook button on each site which will redirect the browser to the facebook login page as described in the above article. In the state variable you can specify a code which indicates which of your sites is requesting a login. In the redirect you will use a single service domain which you assign to your web server (e.g. fb.mywebserver.com) and which you specify as the verified redirect url in the facebook login settings page. All the sites will redirect to this same url, avoiding the problem of supporting multiple domains.
Once the user has logged in, the browser will redirect to fb.mywebserver.com and pass it the state, which tells you which site is requesting login and a code which you can use on the back end to retrieve the user's info using the Facebook graph apis. You store this info with a uid in your data store then using the info in state, you redirect to to the appropriate site including a parameter that indicates a Facebook login (e.g. site1.com?fbc={some uid}). The browser will obediently then call site1.com?fbc... Your web server will receive this request and detect the fbc parameter which tells it to associate the corresponding Facebook logged in user with this site. It can then retrieve the logged in users info using the uid and, for example, return a session cookie for this user along with the page. If you generate the page on the server you can, of course, also include a welcome "user" or alternatively, your client code can do an ajax call to retrieve that information.
From the user's standpoint they press the Login with Facebook button, are redirected to a Facebook login page where they login and then are redirected back to your site in a logged in state. Not quite as nice as having the login popup but likely acceptable.
A similar process can be used for google logins as well
Best thing I've found to do in the development/production scenario is add a "Test App", then add a platform for your development web site - as you have to provide where the "page tab url" lives if you use that as a platform.
Facebook requires your "page url" to be live / accessible if you need to apply for status or permission review.
This got me around the "login in development" / "login in production" scenario.
I am trying to understand, how facebook authentication works and how the flow should look like. I am working with Google App Engine and I have managed to obtain first the code and then access token. Using it I can for example retrieve user's friends list. This is all cool.
However, how can I store this access_token? I wan to allow my user to access different pages in my facebook app and I will need this access token on those pages. How can I store it and how can I retrieve it? Or maybe no matter which page user accesses I first need to get the code and then access token and only then can I perform some operations on his behalf?
I don't want to use javascript sdk for now. Is it possible to do it all from server side?
how can I store this access_token? I
wan to allow my user to access
different pages in my facebook app and
I will need this access token on those
pages. How can I store it and how can
I retrieve it?
just store the access_token in the datastore.
https://github.com/facebook/python-sdk/blob/master/examples/appengine/example.py
line 50.
It is from the facebook python sdk.
https://github.com/facebook/python-sdk/
If you don't want to use javascript sdk, you need to see this document. It has all details for facebook Oauth.
http://developers.facebook.com/docs/authentication/
While facebook redirect your user to your page assigned by redirect_uri. It will give your the code (A_CODE_GENERATED_BY_SERVER), then your server can get the user's access_token/facebook id with server side facebook api + code. Then you can login your user (set the session/cookie) and do whatever you want.