I managed to develop a Azure Mobile Service and an iOS application which connects to my service using Facebook authentication. Everything works perfectly fine from the app.
Now I'm trying to access my mobile service from a regular HTTP REST client and I'm hitting authentication issues. I tried to get the authentication code from FB and set the code in X-ZUMO-AUTH header but this does not help. I still get the "Authorization has been denied for this request" error.
I would really appreciate if someone could point to the right direction on how to mimic the access to the mobile service just like the iOS app is doing it.
Thanks,
Ruben
The token you must supply as the 'X-ZUMO-AUTH' is not the access token that facebook send back to you; it is the token that your mobile service backend send back to you.
In order to get a valid token, access the following url in your browser 'https://mymobileserviceurl/login/facebook'. Then fill your facebook infos and you should be redirected to a page which url looks like 'https://mymobileserviceurl/login/done......'. This url contains a 'authenticationToken' parameter. This is the value you have to paste in your 'X-ZUMO-AUTH' header. (should begin with 'ey' and avoid copying ASCII chars)
In your application, in order to get the right token, you should call MobileServiceClient.LoginAsync.
Related
We have an fb canvas made from .net mvc that works well via desktop but it doesn't work well in mobile app. We send request then if someone on fb mobile tap on request and opens up the web app, the signed_request returned is different than the desktop counterpart. The payload is missing and it seems shorter than the desktop's. I'm trying to read it as "code" and try getting auth token via https://graph.facebook.com/oauth/access_token?client_id=xxxx&code=[code]&redirect_uri=???. The problem with this is I don't know what the redirect_uri supplied or maybe it's not a code.
Can you guys help me with this or there's no other way but once they click request via mobile app we have them relogin in our web app to grab their fbuserid? And if there's another approach in handling mobile app requests.
Mobile Web URL and the signed_request
This is already outdated so maybe there's a solution already.
Thank you
I'll answer my own question. What you can do is add an extra authorization in your login flow when then access your canvas url via facebook mobile app. You send them to
https://graph.facebook.com/oauth/authorize?client_id=
passing the redirect uri and scope then grab the new generated "code" param and grab the aut token via graph api. Then you can access their facebook detail as you would normally. I've read answers like there's no signed request in mobile web and approach it differently without stating what that approach is. Hope someone can be helped by this answer.
Thanks
Looking at Google OpenId connect and Facebook login I noticed that Facebook always hits the "redirect URI" from the browser. To explain a bit more - when user follows link of the form
https://www.facebook.com/dialog/oauth?client_id={app-id}&redirect_uri={redirect-uri}
S/he is always redirected to the URL specified by {redirect-uri}. This URL then contains "code" which can be exchanged for access token.
Google has similar approach but when using "server-flow" the {redirect-uri} is "hit" by Google's servers. This way the code which needs to be exchanged for access token never gets shown to the user.
It seems like FB's approach is less secure as the access code can actually end up in the attacker's hands.
Is there a way to have FB send the code to a redirect URI but not actually redirect client? Something like what Google does.
Does anyone have a good explanation why FB does not have "server-flow"-like behaviour but only "implicit-flow"?
You should grab the code from the server then use it, together with your app secret, to exchange an access token on Facebook. It does not matter if the client can see this because without the app secret, that code is useless. And the app secret is kept on your server, it is never revealed to the client.
I'm trying to build a Facebook-authenticated native mobile app (Windows Phone) that connects to a web service I am creating in Node.
I'd like for a user to:
Log in to Facebook on the mobile app via a native UI or web window
If logged in successfully, create or access server-side user account data tied to that identity
Use the authenticated session to make subsequent authenticated requestsvto that user's data via the native mobile app
My question is: What's the best approach here?
Should I...
Log in the client to facebook locally in the mobile app and pass the Access Token to the node service, and then somehow map the user to my service data based on their facebook account id? That seems grossly insecure if I just pass that token in the URL.
Log the user in via a mobile browser window inside my app, and then redirect back to my Node service in the same window? How do I then make subsequent authenticated requests natively in my app?
Do something else entirely?
Sorry this is so open ended but this is the first time I have tied these things together and although there's a lot of info on each part I've yet to find something that describes the overall pattern / best practice for this design.
Your question is quite opinion based...but still I will try to help.
First of all, you can pass access token in url, its not insecure if you use https. Even if logged into facebook from your mobile app, than also its going to pass a access token in url only. If you mean having the token in http://something.com/access_token, than its not how its should be done.
If you look into the Oauth 2.0 draft you will understand that its done through setting a header Authorization with the value being the token and token_type. Take a good look at the draft.
As your solution I think its fine if you just use the first method mentioned in the question by sending the access token in header as I mentioned in your app and in turn authenticating that token from facebook on each request.
If you think this is just too long a flow for authenticating every request from facebook, than you can get access token by sending request from your mobile app to server and let the server handle the access token and store it in database which you can authenticate each request.
In any case take a look at Passport module, it has facebook and other auth built-in and should be sufficient for your needs.
I have the following use case
My application on iOS is using the FaceBook iOS SDK to authenticate with FB
The application then make a REST call over https to my server to register the FB account to their service account (the service I am offering)
In step 2 the client is sending the FaceBook UID.
My problem is that the server has no FB integration so has to reply on the client sending the right FaceBook UID.
So the problem is obvious, a hacker can attach someone else FaceBook account to their service account .
What I would like is for the server (Java) to be able to validate that the user who is sending the request owns the Facebook UID in question.
I have been searching online and cannot find anything that I think will work.
I came across a vague post about using the FB signedRequest field, this could be passed to the server to validate the user.
Any idea would be appreciated.
Here is a thought:
Once you authenticate the user in your iOS app, get the access_token, and pass only this in your REST call to your server.
On the server side, make a request to https://graph.facebook.com/me?access_token=... using the access_token that you transmitted. If the access token is valid, you will get all the the user's data proving that you have a valid, authenticated user.
If you wanted to be extra sure, you can also request http://graph.facebook.com/app?access_token=... to be sure that the access token was created by your app.
TL;DR version:
Can you authenticate with Facebook without having a callback URL for a web application since the web application isn't actually running on a server.
Full explanation:
I'm working on building a connectedTV platform application where the "app" itself is a bunch of HTML/JS/CSS running locally (like File -> Open on your desktop browser) and I'd like to integrate Facebook into this.
The problem is that all of Facebook's OAuth calls for the web require you to have a callback URL to redirect the user to in order to complete authentication. Here's the gotcha -- there is no URL for this application -- it's a locally running webpage on the device.
I know this is what out-of-band authentication was designed for, but I can't seem to find any documentation on how to use this (or how to do a non-callback OAuth flow) with the Facebook OAuth system.
You're describing desktop authentication or any situation where you are authenticating to FB without a server. The redirect URL you pass to the OAuth dialog is https://www.facebook.com/connect/login_success.html When the browser redirects you can get the access token. You can read all about it in the FB documentation, way at the bottom in the Desktop Apps section (https://developers.facebook.com/docs/authentication/)
Just reread your question and since the application runs inside a browser you will need to open another window to authenticate and get the access token from that.
If you're doing HTML/Javascript, use their Javascript SDK. You can log the guy in simply by using FB.login and getting the access token from the callback from that.
I really don't think this is directly possible. Unless there is something totally undocumented, Facebook has no mechanism to send authentication data except by loading a url. I'm sure it's meant at least partly as a security measure, functioning as sort of a "whitelist" of where auth data will be sent.
The only way I can think of for you to work around it might be to set up a url on a server somewhere that could answer the redirect and store the auth data, and have your client-side code poll that server to get it. Kind of a proxy authentication service, in effect. You would probably have to open a second browser window with the Facebook auth screen in it, but in theory it could work.