My application allows for user authentication via Facebook. I am calling FB Graph API to get details on a logged in user like so...
https://graph.facebook.com/<fbUserId>
But sometimes I see that email address is not one of the fields which is returned. I think this is because when the user was prompted to allow my app access to their public profile and email address, the user chose not to provide their email address. However my application needs email addresses. Is there any way I can tell FB through the Graph API to make that "Edit the info you provide" dialog to reappear so the user can subsequently choose to give their email address?
I think you're asking about how to re-prompt users who denied a permission, so that they're asked to grant the already-declined permission?
If so, you can check which permissions were granted and then re-prompt for those which were previously declined - as you noted, users aren't prompted multiple times to accept a permission if they've already declined it
To re-request, use auth_type: rerequest in your call to FB.Login() (javascript) or your call to the Login dialog; I believe the mobile SDKs handle this automatically (e.g. FBSDKLoginManager in the IOS SDK)
Note that with your specific example, it's possible a user won't have an email address accessible via the API even if they do grant you the email permission, as they may have an unreachable address, be a user without a confirmed address, have signed up to Facebook using a mobile phone number, etc
As a result, you may need to build a UI for users to manually supply their email address anyway, if that info is truly necessary for your app
Related
I'd like to offer our users a Facebook login option. But I'm not sure how to identify existing users (without a stored Facebook ID).
From the docs:
https://developers.facebook.com/docs/facebook-login/multiple-providers#addingfacebook
After a successful login using Facebook, you will have the person's
email address, Facebook ID, and access token. Your app should search
for an existing account that has been created with that same email
address. If one exists, you should merge the two accounts and add
the Facebook info to the existing account - as recommended above.
That doesn't sound like a secure approach to me. What would prevent someone from creating a new Facebook account with a fake email address that matches a user account in my app and then use my Facebook login option? (Obviously, this will not work if the user already owns a Facebook account)
Your concern...
That doesn't sound like a secure approach to me. What would prevent someone from creating a new Facebook account with a fake email address that matches a user account in my app and then use my Facebook login option? (Obviously, this will not work if the user already owns a Facebook account)
TL;DR
Facebook Registration process
Go to facebook.com/reg.
Enter the name you go by in everyday life.
Enter your email or mobile phone number.
So...
Facebook needs your email or phone number, that means there's no way someone can use another account's email or phone number to sign up again.
My advice to you is...
You have two or more authentication methods - 1 manual (email & pass) | the rest (social login).
You already have users, so when users login using OAuth and a matching email or phone number is found, you ask permission to link their Facebook account to your app or site account with a matching credential.
At this point you should authenticate the persons identity one last time, by having them enter the password for their account on your app or site.
Now you can safely assume this person is who they say they are and store their info in your DB.
I'm implementing a Log In With Facebook button on my website, and will be using the email field for two purposes:
create a new account if I don't have this email in my user database
match an existing account if I have a user with this email address
Does Facebook guarantee that they verified the user owns this email address when they return the field in their API?
Otherwise, in the (unlikely) event that a user of my website does not have a Facebook account, someone could create a Facebook account with this email, without validating it, to log in to my website with their account.
They are supposed to be but Facebook has had issues in the past of unverified emails being allowed to pass through the API Is it possible to check if an email is confirmed on Facebook?.
If you implicitly allow Facebook accounts to link up via email, then the next time Facebook has an issue they can effectively take control of all your users accounts.
The secure way to link users up is to either:
Ask a normal user to link their facebook account by logging into it.
Ask a Facebook-user to login with your sites normal account.
I'm developing an app in which users log with their Facebook account, but only the Facebook profiles that the system administrator have previously entered.
In other words, the system admin enters a bunch of Facebook profiles, and when the user tries to log into my app, the system checks if there's a record for that Facebook profile.
I used to do this using the user's Facebook username, because the admin could get that information easily from a Facebook profile's URL, and Facebook provided that username when the user logged in. This is not possible anymore with Graph API 2.0, because Facebook does not provide the username field anymore.
So do you guys have any suggestion on how the system administrator could easily identify users, so they would be granted access in my app?
#WizKid is right, using the user's email is the best way to do this. Any user will be able to login, but then you can build in a check to see if that user's email is in your "pre-approved" list.
To get the user's email address, you need to ask them for it in the login dialog using the scope parameter. In the JS SDK, it looks like this:
FB.login(function (response) {
// handle response
}, { scope: "email" }); // <<< the important bit
Note: with the new Graph 2.0 Login dialog, a user can choose not to provide their email address by unchecking it in the "edit the info you provide" section of the dialog. As a result you'll need to double check that the user actually provided their email address.
Facebook is blocked by my company firewall but I want to develop an app where in employees can click a link we send it to their email and provide access to their facebook account and update. Firewall blocks facebook.com so I cannot have users type their username and password on facebook.com url. Can I have users type in their username and passowrd on internal website using which the app will login and get access?
it goes against the purpose of oauth to take the user's password and use it to log in as that user. oauth is designed so that the user will never have to disclose their password to your app but still be able to provide your app with some of their own facebook data. this way, only the facebook data which the user chooses to share will be available to your app. also the user may choose to allow your app to publish on their behalf, see here for the details.
my suggestion would be to get the users to authenticate your app from outside the work network (where the facbook.com url is available). this way you can still post on their behalf and your app can get certain information from their profile to relay on to them without you ever needing to know their password.
I want users to able to sign up in my application(rails) using facebook connect.
However I am not very sure what all information of the user will be available ,specifically the email of the user. I know that the emails of the user's friends are not available, but not sure if the email of the user himself is available.
You can prompt the user for email extended permission.