im a newbie in graph facebook api. I try to get MY_VERIFICATION_CODE by send http request:
link1: https://facebook.com/dialog/oauth?client_id=APP_ID&redirect_uri=https://www.facebook.com/connect/login_success.html
and then Facebook will redirect to http://www.facebook.com/connect/login_success.html? code=MY_VERIFICATION_CODE
but I cant get code from response. I copy link1 to chrome, it redirects to url with a code appended as parameter, but this url stays just for seconds and then it changes to this: https://www.facebook.com/connect/blank.html#=
My question is how to read the code from the redirected uri in a java desktop application?
It's all described in the docs at
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.3#login
Quote:
When using a desktop app and logging in, Facebook redirects people to the redirect_uri mentioned above and places an access token along with some other metadata (such as token expiry time) in the URI fragment:
https://www.facebook.com/connect/login_success.html#access_token=ACCESS_TOKEN...
Your app needs to detect this redirect and then read the access token out of the URI using the mechanisms provided by the OS and development framework you are using. You can then skip straight to the Inspecting access tokens step.
Related
Our website runs in public computers and the browser is restricted to our own site. Facebook needs a redirection for security reasons. Can this be avoided somehow?
If not, which are the urls I'd have to allow/unlock?
Have a look at
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2#login
You need to use the following structure:
https://www.facebook.com/dialog/oauth?client_id={app-id}&response_type=token&redirect_uri=https://www.facebook.com/connect/login_success.html
Have a look at the hints in the blue box at the bottom of the docs paragraph:
When using a desktop app and logging in, Facebook redirects people to the redirect_uri mentioned above and places an access token along with some other metadata (such as token expiry time) in the URI fragment:
https://www.facebook.com/connect/login_success.html#access_token=ACCESS_TOKEN...
Your app needs to detect this redirect and then read the access token out of the URI using the mechanisms provided by the OS and development framework you are using. You can then skip straight to the Inspecting access tokens step.
Looking at Google OpenId connect and Facebook login I noticed that Facebook always hits the "redirect URI" from the browser. To explain a bit more - when user follows link of the form
https://www.facebook.com/dialog/oauth?client_id={app-id}&redirect_uri={redirect-uri}
S/he is always redirected to the URL specified by {redirect-uri}. This URL then contains "code" which can be exchanged for access token.
Google has similar approach but when using "server-flow" the {redirect-uri} is "hit" by Google's servers. This way the code which needs to be exchanged for access token never gets shown to the user.
It seems like FB's approach is less secure as the access code can actually end up in the attacker's hands.
Is there a way to have FB send the code to a redirect URI but not actually redirect client? Something like what Google does.
Does anyone have a good explanation why FB does not have "server-flow"-like behaviour but only "implicit-flow"?
You should grab the code from the server then use it, together with your app secret, to exchange an access token on Facebook. It does not matter if the client can see this because without the app secret, that code is useless. And the app secret is kept on your server, it is never revealed to the client.
Our website (Java server side) uses Facebook Javascript SDK for login. We enable the cookie creation and then on the server side we are trying to read the cookie to make a call to Graph API.
The steps we follow are:
- Retrieve the facebook cookie based on Facebook API id from HttpRequest
- Decode the cookie to retrieve the code
- Make a HTTP GET request to Facebook Graph to retrieve access token by passing client id, secret, code and redirect uri
I am getting an error at the last step where it says the redirect uri doesn't match the one passed when retrieving the code. What should the redirect uri match?
I found the answer to this from here: http://tech.sociablelabs.com/2011/09/19/server-side-changes-facebook-oauth-2-0-upgrade/
It turns out that the redirect_uri is empty string as set by Facebook Javascript SDK.
Acknowledging that the authenticated referral mechanism is currently not working with the mobile web settings for Facebook applications, I'm running into an issue with verifying an access token based on a returned code.
The URL I'm trying to fetch an access token for is:
https://staging.fanhood.com/facebook/mobile/challenge?fh_gameChallengeID=2678&ref=web_canvas&refid=9&refsrc=http://apps.facebook.com/fanhood-dev/challenge&returned=true
This is the URL that the visitor is sent to after being pre-authenticated from this URL: http://apps.facebook.com/fanhood-dev/challenge?fh_gameChallengeID=2678. However, unlike regular authenticated referrals, there is no additional data passed into the URL so that the application can shortcut the oauth redirect loop.
At this point, I'm redirecting the visitor to the mobile OAuth dialog to authenticate them:
http://m.facebook.com/dialog/oauth?client_id=250258605018414&redirect_uri=https%3A%2F%2Fstaging.fanhood.com%2Ffacebook%2Fmobile%2Fchallenge%3Ffh_gameChallengeID%3D2678%26ref%3Dweb_canvas%26refid%3D9%26refsrc%3Dhttp%3A%2F%2Fapps.facebook.com%2Ffanhood-dev%2Fchallenge%26returned%3Dtrue&scope=email%2Cfriends_about_me%2Cfriends_education_history%2Cfriends_hometown%2Cfriends_interests%2Cfriends_likes%2Cfriends_location%2Coffline_access%2Cpublish_actions%2Cpublish_stream%2Cuser_activities%2Cuser_birthday%2Cuser_education_history%2Cuser_hometown%2Cuser_games_activity%2Cuser_interests%2Cuser_likes%2Cuser_location&response_type=code&display=touch
When the user is redirected back, I do receive a code to exchange:
Code: AQBCH25OC57BiMBgj3rCKGhkFi0ypp0R8e2yKGwFfhml9x1B47-w2Baex8oZ3BKgb2NhziRnSIuJ1MV9hErKBUhu0YqxaonwFF_7mcqozwpy3Ch08rkNh-YEIa6HV_LHxl6pymfkAbQEMgSA6F4BdtINsCQ7QlLpcRwrZWkzxZVyJbJDnqOesB3zFLr5ohpgtpQ
However, none of my requests to exchange this code are working currently. I'm trying different variations of the redirect_uri format, none of which are working:
Original URL as redirect_uri:
I have a mechanism in place to strip out specific query parameters, re-order them alphabetically, and re-assemble so that redirect_uris are consistent across requests.
In this case, the redirect_uri matches exactly to what was passed to the dialog URL:
https://staging.fanhood.com/facebook/mobile/challenge?fh_gameChallengeID=2678&ref=web_canvas&refid=9&refsrc=http://apps.facebook.com/fanhood-dev/challenge&returned=true == https://staging.fanhood.com/facebook/mobile/challenge?fh_gameChallengeID=2678&ref=web_canvas&refid=9&refsrc=http://apps.facebook.com/fanhood-dev/challenge&returned=true
https://graph.facebook.com/oauth/access_token?client_id=250258605018414&client_secret=xxx&redirect_uri=https%3A%2F%2Fstaging.fanhood.com%2Ffacebook%2Fmobile%2Fchallenge%3Ffh_gameChallengeID%3D2678%26ref%3Dweb_canvas%26refid%3D9%26refsrc%3Dhttp%3A%2F%2Fapps.facebook.com%2Ffanhood-dev%2Fchallenge%26returned%3Dtrue&code=AQBCH25OC57BiMBgj3rCKGhkFi0ypp0R8e2yKGwFfhml9x1B47-w2Baex8oZ3BKgb2NhziRnSIuJ1MV9hErKBUhu0YqxaonwFF_7mcqozwpy3Ch08rkNh-YEIa6HV_LHxl6pymfkAbQEMgSA6F4BdtINsCQ7QlLpcRwrZWkzxZVyJbJDnqOesB3zFLr5ohpgtpQ&access_token=250258605018414%7C65adc2f073d3c901d02a7329c6acba21
Blank redirect_uri attempt for authenticated referrals:
https://graph.facebook.com/oauth/access_token?client_id=250258605018414&client_secret=xxx&redirect_uri=&code=AQBCH25OC57BiMBgj3rCKGhkFi0ypp0R8e2yKGwFfhml9x1B47-w2Baex8oZ3BKgb2NhziRnSIuJ1MV9hErKBUhu0YqxaonwFF_7mcqozwpy3Ch08rkNh-YEIa6HV_LHxl6pymfkAbQEMgSA6F4BdtINsCQ7QlLpcRwrZWkzxZVyJbJDnqOesB3zFLr5ohpgtpQ&access_token=250258605018414%7C65adc2f073d3c901d02a7329c6acba21
redirect_uri structured as our mobile canvas URL:
https://graph.facebook.com/oauth/access_token?client_id=250258605018414&client_secret=xxx&redirect_uri=https%3A%2F%2Fm.facebook.com%2Fapps%2Ffanhood-dev%2Fchallenge%3Ffh_gameChallengeID%3D2678%26ref%3Dweb_canvas%26refid%3D9%26refsrc%3Dhttp%3A%2F%2Fapps.facebook.com%2Ffanhood-dev%2Fchallenge%26returned%3Dtrue&code=AQBCH25OC57BiMBgj3rCKGhkFi0ypp0R8e2yKGwFfhml9x1B47-w2Baex8oZ3BKgb2NhziRnSIuJ1MV9hErKBUhu0YqxaonwFF_7mcqozwpy3Ch08rkNh-YEIa6HV_LHxl6pymfkAbQEMgSA6F4BdtINsCQ7QlLpcRwrZWkzxZVyJbJDnqOesB3zFLr5ohpgtpQ&access_token=250258605018414%7C65adc2f073d3c901d02a7329c6acba21
redirect_uri structured as our canvas URL:
https://graph.facebook.com/oauth/access_token?client_id=250258605018414&client_secret=xxx&redirect_uri=https%3A%2F%2Fapps.facebook.com%2Ffanhood-dev%2Fchallenge%3Ffh_gameChallengeID%3D2678%26ref%3Dweb_canvas%26refid%3D9%26refsrc%3Dhttp%3A%2F%2Fapps.facebook.com%2Ffanhood-dev%2Fchallenge%26returned%3Dtrue&code=AQBCH25OC57BiMBgj3rCKGhkFi0ypp0R8e2yKGwFfhml9x1B47-w2Baex8oZ3BKgb2NhziRnSIuJ1MV9hErKBUhu0YqxaonwFF_7mcqozwpy3Ch08rkNh-YEIa6HV_LHxl6pymfkAbQEMgSA6F4BdtINsCQ7QlLpcRwrZWkzxZVyJbJDnqOesB3zFLr5ohpgtpQ&access_token=250258605018414%7C65adc2f073d3c901d02a7329c6acba21
Does anyone know which redirect_uri format Facebook uses for mobile OAuth requests? And if query parameters are supported? This same URL works for our regular canvas application, just not our mobile version.
See Authenticated Referrals & Server-Side Auth Flow - What is the redirect_uri?
When I stripped the request_uri portion after &code=... it started working.
TL;DR version:
Can you authenticate with Facebook without having a callback URL for a web application since the web application isn't actually running on a server.
Full explanation:
I'm working on building a connectedTV platform application where the "app" itself is a bunch of HTML/JS/CSS running locally (like File -> Open on your desktop browser) and I'd like to integrate Facebook into this.
The problem is that all of Facebook's OAuth calls for the web require you to have a callback URL to redirect the user to in order to complete authentication. Here's the gotcha -- there is no URL for this application -- it's a locally running webpage on the device.
I know this is what out-of-band authentication was designed for, but I can't seem to find any documentation on how to use this (or how to do a non-callback OAuth flow) with the Facebook OAuth system.
You're describing desktop authentication or any situation where you are authenticating to FB without a server. The redirect URL you pass to the OAuth dialog is https://www.facebook.com/connect/login_success.html When the browser redirects you can get the access token. You can read all about it in the FB documentation, way at the bottom in the Desktop Apps section (https://developers.facebook.com/docs/authentication/)
Just reread your question and since the application runs inside a browser you will need to open another window to authenticate and get the access token from that.
If you're doing HTML/Javascript, use their Javascript SDK. You can log the guy in simply by using FB.login and getting the access token from the callback from that.
I really don't think this is directly possible. Unless there is something totally undocumented, Facebook has no mechanism to send authentication data except by loading a url. I'm sure it's meant at least partly as a security measure, functioning as sort of a "whitelist" of where auth data will be sent.
The only way I can think of for you to work around it might be to set up a url on a server somewhere that could answer the redirect and store the auth data, and have your client-side code poll that server to get it. Kind of a proxy authentication service, in effect. You would probably have to open a second browser window with the Facebook auth screen in it, but in theory it could work.