I can't really figure out what exactly the facebook API and its services are capable of in terms of user management. Given that I would completely rely on facebook for registration and login, does facebook only provide the authentication and registration process and return me data to store in my own database or does it also itself store a list of already registered user accounts which I can query later on so that I could completely outsource user management from my servers?
If you only need to authorize a User, you don´t need to store anything. You only need to store them in a database if you need to identify returning Users, or if you need to use his data while he is not online.
There is no user management though, you can´t just get a list of all users who authorized your App from Facebook. That´s what you have to store on your own. Make sure to implement the possibility to remove a User from your database, Facebook offers a deauthorization-callback in the App settings for that.
Related
I am working on an app using Laravel that retrieves posts from facebook pages (using fb IPA) then make some operations on them, this tool can be used with no login or creating an account, and my question is:
how and to store the temporary data I get from the API since I don't have users knowing this app can be used by many people at the same time?
I guess you could solve this in several ways. I'm not quite sure what you do the get the data.
You'll need something unique to relate to the data. In case you login to the API using OAuth you could request the user profile of the user (example here using the Facebook SDK) and grab the user id or the email address. In case you do not login then you could use something like the session id.
Update: It appears that when there's no API or token, software seems to simply ask the user for their account credentials, and probably has to store this information. I guess it can't be a huge security risk, since people are willing to share this information with apps like Mint:
So, my conclusion is that it is OK to ask users for credentials to other services if they can be secured safely and the user desires the service provided.
Many, many apps use others apps such as Facebook in order to get data from it, usually to verify the user is real and to get relevant profile data (e.g. a dating app would want age, gender, etc.).
When using such an app, I do not have to enter in my Facebook credentials. The app simply opens up my Facebook/asks for permission to access it, and voila it's done.
There seems to be a lot of documentation for well known companies like Facebook, Twitter, and PayPal on how to do this.
But how is it done for an arbitrary website that requires a user/profile, e.g. this website: http://ae.com/web/index.jsp
Unsurprisingly, if I google for FaceBook, there's a heap of resources, and even it's own dedicated tag (https://developers.facebook.com/docs/facebook-login/access-tokens).
However, if I start googling for American Eagle, e.g. "https://www.google.com/search?client=safari&rls=en&q=american+eagle+access+token&ie=UTF-8&oe=UTF-8", I get nothing relevant at all.
If I understand your question right, that you want to enable facebook login for your website,
you still need to create a facebook app. then use the access tokens in your website. so when user clicks on login with facebook, the app will be asking for permissions and finally you will get the access token and you can use that in your site to log in.
I am working on a requirement where I need to collate information from a persons social media profile into the application mainly LinkedIn, Facebook, Google and Twitter.
The app has the email ID provided by the user. Assumption is of course that the person uses the same email ID across all the services.
My initial gut feel is that I need to ask the my user to login into my app using their Facebook / Google / Twitter ID and once he is authenticated, the corresponding API can then give their information. However, I am not sure if this approach would be feasible for multiple providers i.e. I need info both from Facebook AND Google+ for example
Alternatively, is it possible to use the API's of any of these Social Media applications to map the email ID I have to a user in those applications and then to get the user's public information?
Also, is anyone aware of any 3rd party products / API's which can help provide this kind of identification? I have heard of Rapleap (www.rapleaf.com) but the profile data provided by them does not seem to have social media related information that I am interested in.
Note : I have never worked on anything related to social media in the past and hence if there is some faux pas in what I am trying to do, please feel free to point out the same.
I'll start by assuming that when you say "email ID" you actually mean "email address" which in turn is the user id for those social media networks
is it possible to use the API's of any of these Social Media applications to map the email ID I have to a user in those applications and then to get the user's public information?
Yes and No. In order to request profile information from of these social media networks (let's called them just "providers") your app will need to request it on behalf of the actual user. That is, the user will need to authenticate itself with these providers through your app. For this to happen, the user will need to provide a minimum amount of information (email and password) and your app will need to authenticate as well...usually through OAuth or a native API by specifying an already issued "App ID" (or Client ID) and an App Secret. This is information you should receive by these providers once you have successfully registered your app with them.
is anyone aware of any 3rd party products / API's which can help provide this kind of identification?
I'm not too sure and this is out of the scope of Stackoverflow...but, do you really need to add another abstraction layer in your project? Another dependency? Consider interacting directly with these providers, you have more benefits
So, basically, your app will have to get the user to supply his/her credentials in order to request this information. In the case of OAuth, your app will never see these credentials because the authentication process happens outside your app, all your app will receive is an access token to request the information that is available within the scope of the access token. By that I mean, you have to request specific permissions. There's a lot of information available on the developer's site of these providers and I'm sure you'll get around it without any problems, but feel free to ask if something is not clear enough.
There's a way to get user information from sites like facebook,google,linkedin,yahoo etc by using their OAuth service. For this you need to develop your application to include OAUth Service from any of these sites and allow the user to log into any of these services and choose what all data they would be interested to share for using your application.
Again, you will have to configure your facebook/etc application to include options for the users to select while logging in.
It really depends on the social media account. Some sites allow you to search by email, but this assumes that the email address you have is the same address the person used for the account. Others do not. What I would do is identify the sites which allow you to search by email, and go to those sites and search. That is the most straightforward way.
I have a scenario, where an authorised user through my application is posting status/uploading pictures via my application by granting required permissions. My application uses graph APIs.
Now, as app administrator if I want to see the content of the post, that the user has uploaded via my application. How do i do it?
I know in graph APIs, I have INSIGHTS api. But, it just gives us the statistics of the posts done via my app or user.
Can i really see the posts?
Assuming as an app admin I only have app access token and app ID. I dont store user access tokens with me.
Actually, I worked on the problem with every possible way. Found out that, even being an APP administrator I will need user access token (stored with me), without which these data shall not be retrieved via APIs.
My need was not to use user access token; But, no Its not possible via APIs as of now.
I'm trying to implement facebook connect to my website, and i have couple questions.
1: Is it possible to register user in my website using his current facebook email/password.
Let's say user clicks on link Register via facebook and then he have to give me permisions to access his password, email, etc... and after that is done i put that info in my own database and he will be able to login with that account any time he wants without needing to give me permisions any time in the future.
2: If that kind of registration is not possible, what's other solution would be the best for me? Because i need to somehow keep track of that user who logged in with facebook, because he can upload photos, send messages etc.
Anyways, i'm quite new with facebook and similar things, so i'm really lost here, hope some one can help me :)
EDIT Thank you all for wonderful answers it helped me a lot, now all that's left is to read documentation :)
Yes it is, it is possible to get the information of the user. But it is rather complicated, when you have never dealt with it.
First you need to send the user to the following link:
https://m.facebook.com/dialog/oauth?client_id=your-client-id&redirect_uri=xxx&scope=listof-information-you-want
Facebook will then return your client to the uri specified, if the user rejected it will give a reason. If it is not you will get an code in urlencoded format.
This code is needed for the following step, the request of the access token:
https://graph.facebook.com/oauth/access_token?redirect_uri=xxx&client_id=xxx&client_secret=xxx&code=xxxx
This will give back an access token, if the authorization didn't fail.
After that you can ask for the information you want:
https://graph.facebook.com/me?method=GET&metadata=true&format=json&access_token=access_token
This will include a facebook uid, which is unique for all users. Store it and you can discern between a register and login.
This is roughly the process for any oauth2 application.
Facebook will not ask repeatedly for permissions after the user granted them to you. So you can store the access token and reuse it for backend stuff and also use the same procedure you use for register for login.
You can never access the user's password from Facebook even with his/her permission, so the user will always have to authenticate via Facebook and have Facebook pass you the user id of the logged in user once authentication succeeds. You can store all kinds of other data locally, but not enough to authenticate the user yourself.
Once the user is authenticated, you'll have access to the user's Facebook user id via the API, which should be enough to connect all kinds of information to that specific user.
Facebook does not provide access to accounts when passwords are taken from your controls. It provides it own canvas for login information. Therefore you cannot use your first approach to store passwords in your databases. Check this out.
You can however store email addresses once user logins into his account using the facebook sdks. Check this out link for the example of C# SDK sample code.
You can use the Facebook APIs to fetch user email-id, photos, friendslist and other information and then play around accordingly.
You don't get access to the users password - only email if you ask for it.
Best way would be to have a table of users and their Facebook account id's.
If you want to allow users to sign up without Facebook then have a nullable field for their password and facebook id, and also have a field for username - which you could populate from Facebook if they register via that route.