From what I understand about Oauth, a user logs in to Facebook, then Facebook provides my application with an access token that I can use to make calls to Facebook's API. Can I use that same access token to authenticate calls to my own API?
What would this look like in terms of storing and accessing user data for my own app such as personal settings and resources?
Can I use that same access token to authenticate calls to my own API?
You technically can. Token is just a random identifier that uniquely identifies a user within an application in the OAuth provider.
What would this look like in terms of storing and accessing user data for my own app such as personal settings and resources?
You need to store as much information as you need to uniquely identify a user and an application (if you support them) this token belongs to.
Related
My app logic (Android, iOS and Web) is all written in my server.
Since things got complicated, I decided to build my server as a REST web service so querying it will contain logic in the header.
My login flow is pretty simple, and I somehow tried to copy from Facebook API:
The user login to Facebook.
The user receive a Facebook access token
The access token is sent to my server with some other identifiers
The server checks with Facebook that the access token is valid with Facebook and that the other identifiers match the ones on Facebook.
The server returns an access token to the user, which he should use in each query until it expires.
The problem is that I didn't add any other restrictions like endpoints limitations (scopes) and stuff like this, so an access token generated by my server grant you access to each part of my api.
I think that inventing the wheel here will be foolish, so I'm looking for a framework or a generic solution that will allow me to add logic to the access tokens in a simple way.
I read about OAuth, but my concern that its more about user sharing with other users, but I only want to use it is login flow and scope protector.
Is it possible with OAuth ? Are there alternative to OAuth ?
That's possible with OAuth 2.0 and in fact one of the objectives: you may issue and use access tokens that have particular "scopes" (an OAuth 2.0 concept) associated to them that could relate to permissions that the client has (e.g. read/write, API A, API B).
But you need to issue your own access tokens from your own Authorization Server. You could allow users to login to that Authorization Server with their Facebook account.
I have never stored Facebook access token of users, but now I need them so I can start publishing on thier behalf.
Is there a way through Facebook's app management interface, to retrieve all the access tokens of users ?
Thanks
No, there is not.
You can only generate user access tokens by having users visit your app/website again – if you embed the JS SDK, it will give you an access token automatically; otherwise (server-side) you will have to send them through the login flow again to generate one.
For this task I have already created my own facebook application to get the API key and secret key. Can anyone explain the next steps that should be done to
1) Read from facebook API
2) Write my own database
by using web services
Thanks in advance!
A high level answer:
I'm assuming you want to use the authorization code OAuth flow (this means you want Facebook users to give you access to their profiles so you can grab data from there). If so, you need to bring up a web server and an application that will run your users through the Facebook OAuth flow. In case you just want to access Facebook with your own credentials you don't have to have a web server, simply use the client credentials OAuth flow.
So, Once you have a valid access token, you simply make calls to Facebook API using this token. using Facebook Graph API is simply a matter of calling URLs and getting the data as JSON.
You can test-drive the API here.
BTW, according to Facebook's platform policy, you're only allowed to store Facebook data for caching purposes.
Let me know if this helps.
On my app the user can sign to Facebook and the app then has the user's access token (say it's 'abc'), I want to use this token to create a user on my own server.
Is it safe to send this access token to my server (using SSL), then get the user's username and ID using https://graph.facebook.com/me?access_token=abc on my server and check that the application the token belongs to is mine with https://graph.facebook.com/app?access_token=abc. If it is my application I then store the user in my user's database and/or log them in.
Can this system be fooled? Can you think of a way someone could log in as someone else?
You should check out all of the Authentication documentation and the Oauth spec to see the different auth flows available
Broadly speaking, you can create a user on your server based on the access token, and be reasonably certain that when you get an access token from Facebook for the same user ID that it's the same person.
If you require very high security for the app you can take steps to ensure the user's access token wasn't produced via malware or the Facebook user being tricked, there's an example showing protection against CSRF in the Server Side Authentication documentation, and there's also a reauthentication flow you can use
I assume that you are using facebook sdk for this, if so the facebook sdk takes care of the security for you and you don't have to worry about a thing.Supposing that you are accessing the api without the sdk then there are two things that must be noted:
1) Auth token expires frequently(facebook has taken great pains to ensure that the user is protected)
2)Making a request with just auth token is not enough there are some other parameters that are needed that can't be faked especially if you are doing this server side since an extra layer is added that fb calls server flow authentication
3)On top of that there are a lot of permissions that are in place that the user has to give in order for an application to access some data.The link below provides a nice article on authentication you can take a look
https://developers.facebook.com/docs/authentication/
So long story short it is safe.
What is access token in Facebook API?
why I need it ?
What is its purpose ?
Do I need to store it persistently in my website ?
For almost every request you make to facebook API you need to pass access token along to get the results. This token may expire depending on what kind it is, you might need to persist it in case your application need to access facebook API when user is offline.
PS: Access token comes from user's request to your application.
Facebook implementation of the OAuth 2.0 involves three different steps: user authentication, app authorization and app authentication. User authentication ensures that the user is who they say they are. App authorization ensures that the user knows exactly what data and capabilities they are providing to your app. App authentication ensures that the user is giving their information to your app and not someone else. Once these steps are complete, your app is issued an user access token that you enables you to access the user's information and take actions on their behalf.
access token will be expired unless the user has granted to your app the "offline_access" permission. In other word, unless you have such a perm granted, you don't need to store it persistently in your website.