I am programming a little web application right now. At some point I need to thing about the user registration. My first thought was do it with a Facebook Authentication. Why? I think it's easier to get user like that, because most of them have already an account on Facebook and don't want to get over the usual registration form(EMail Confirmation, ..).
Now I am asking myself, what happens when I decide to cut of the connection between Facebook and my WebApp? I mean maybe at some point I do not want to be dependent on facebook. Can I easily remove the Facebook Authentication and keep the already registered User? I think the biggest issue would be to set a new password instead using the Facebook ones for the User.
Related
Update: It appears that when there's no API or token, software seems to simply ask the user for their account credentials, and probably has to store this information. I guess it can't be a huge security risk, since people are willing to share this information with apps like Mint:
So, my conclusion is that it is OK to ask users for credentials to other services if they can be secured safely and the user desires the service provided.
Many, many apps use others apps such as Facebook in order to get data from it, usually to verify the user is real and to get relevant profile data (e.g. a dating app would want age, gender, etc.).
When using such an app, I do not have to enter in my Facebook credentials. The app simply opens up my Facebook/asks for permission to access it, and voila it's done.
There seems to be a lot of documentation for well known companies like Facebook, Twitter, and PayPal on how to do this.
But how is it done for an arbitrary website that requires a user/profile, e.g. this website: http://ae.com/web/index.jsp
Unsurprisingly, if I google for FaceBook, there's a heap of resources, and even it's own dedicated tag (https://developers.facebook.com/docs/facebook-login/access-tokens).
However, if I start googling for American Eagle, e.g. "https://www.google.com/search?client=safari&rls=en&q=american+eagle+access+token&ie=UTF-8&oe=UTF-8", I get nothing relevant at all.
If I understand your question right, that you want to enable facebook login for your website,
you still need to create a facebook app. then use the access tokens in your website. so when user clicks on login with facebook, the app will be asking for permissions and finally you will get the access token and you can use that in your site to log in.
In work I got a task (we MUST work with ASP Classic by the way): when user posts a blog, a link to that blog should be posted automatically on user's facebook timeline and in his twitter. I made everything working, but there is one problem: user needs to be signed in to post. I've made the cheking if he's logged in, and if not he must log in.
But I need to avoid the logging-in step and make it automatic (by sending user's username and password as part of the data sent to twitter/facebook or something like that), but I can't figure out how to do that or if it's even possible at all.
Any ideas? Would greatly appreciate any help.
P.S.: for the twitter part I used http://scottdesapio.com/VBScriptOAuth/
for the facebook part I used a combination of: http://snipplr.com/view/61108/facebook-app-login--authorization-entirely-clientside/
Everything works, but is it possible to automatize the user's sign-in part?
Finally I managed to make the both things automated...
The problem with Twitter was that I didn't store request token in session, that's why I got "Could not authenticate you" error.
Can't remember what I did wrong with Facebook (some co-workers helped me out), but I guess I didn't make proper http requests...
So the answer is: yes, it is possible to automatically post to Twitter and Facebook without user sign in.
If I am not wrong then your logged in user in facebook for current browser is not authorize for your app.
I think you should try googling about "How to authorize users into app". OR
If you don't mind I am giving you the direct URL to go to that setting page for your app:
https://developers.facebook.com/apps and then go to your app then after from left side bar go to roles and then after click on test user tab from top of page and then click on add button it will opne one pop-up to add a user.
In app you have to add test user for testing purpose and have to login for that added test user, so added user will be authorize for that app and you will be able to test.
Thank you...
Whenever a permission error occurs on facebook, developers are forced to 1. identify that this is actually happening, 2. ask the user to re-login.
This is a terrible user experience, and I'm surprised that Facebook even allows it to exist.
Is there any way to easily add a permission to a session? If not, are there any ways to make this easier?
So let's put it this way:
I authorized your app with only basic access (no permissions, perms or scope).
You automatically added the email permission without my permission
I started receiving emails (spamming?) from you which is the worst scenario OR
You have simply gained access to my email!
Facebook respects user privacy (actually it's a primary goal) and while they are trying to provide developers with the best technologies, methods and APIs to maintain the best experience there are things they can't avoid.
Each action your application want to make to the user OR on his behalf must be approved by the user and it should be clearly stated when the user approves it.
I've chosen the email permission for a purpose here, because the user may choose NOT to share his personal email with you directly (in which case Facebook will give you a proxied email). This is how far Facebook is thinking and trying to keep the user trust on them (before you!)
Just a small note, handling (any) API provider errors and adopting it's behavior is part of your job. And trust me, Facebook users have been installing millions of apps for years now and they are used to this behavior.
So try making your application as engaging as possible, make use of the Graph API, Social Plugins and Channels. And you'll perform just fine.
Here's the problem,
I want to have the user auto login to my MVC3 website if they already login from facebook.com.
If they are not login from facebook.com, I will just simply show a login button and they can login by clicking on it as usual.
I cant seem to find a way to detect whether user had login from facebook.com unless I force the application to direct go into LoginUrl of Facebook, which is not good for user who was not logged in as this will prompt them a page where they have to login. I still want to allow guest access without facebook account.
Any idea? Thanks a million.
EDIT:
Sorry I forgot to mentioned the situation only apply to user who approve to use my app. Once they approve to use my app, I'll be able to detect their facebook login status.
The answer is: You can't. At least not without violating the facebook TOS and probably at least one or two laws.
EDIT: Your original question sounded like you wanted to try and hijack the facebook user session. What you are talking about here in the comments requires you to use facebook connect / facebook for websites.
You would want to start here: https://developers.facebook.com/docs/guides/web
I'm new to OAuth and I'm mostly done implementing OAuth against Facebook and Twitter.
The way my application works is user can sign on either through Facebook or Twitter. Once getting in, they can setup the other, i.e if they log in using twitter, I ask them to setup facebook wall and if they sign up using facebook, then I ask them to setup their twitter.
The issue I have is this. Users after signing out and come back again, how do I avoid them to setup the things again? I noticed twitter access token never expires, so I guess that solve this side of the issue. But Facebook access token does expire. It's very inconvenient to ask my users to sign into facebook everytime to have that part of the application to work.
I might understood this whole thing wrong, so any suggestion is greatly appreciate it.
As far as I remember Facebook (https://graph.facebook.com/oauth/authorize?...) returns back user immediately if user has previously approved your application, so that he/she won't notice it if you design your app flow correctly (for example you can redirect user to Facebook in a popup and close popup when user returns back).