I'm a bit confused about how omniauth works for facebook and twitter. I notice when I use twitter, then I end up getting back credentials which include a token and a secret. My understanding is that twitter will return the same set of keys for the same application keys.
For facebook I notice that I only get back a single token. I would like to use this token to identify the user when they use my application-- but my concern is that since I am only getting one token back, that this is a short lived token which might change.
I did some research to find out if Twitter supports OAuth 1.0 (which I'm quite certain Twitter uses).
Am I missing something? Is a it a matter of Twitter and Facebook using different OAuth versions.
Twitter and Facebook do, in fact, use different versions of OAuth. Twitter uses OAuth 1.0A, while Facebook uses OAuth 2.0. These versions have different implementations.
For Twitter, there are two options for accessing the APIs via OAuth, application-only auth and application-user auth.
For details on Twitter's OAuth, check out https://dev.twitter.com/docs/auth/oauth
For details on how to obtain access tokens for Twitter APIs: https://dev.twitter.com/docs/auth/obtaining-access-tokens
Related
Recently I've been doing some research into OAuth and OpenID/OpenId Connect and it's all just left me confused as to what is best to use and what is safe.
Originally I thought you could just use OAuth2.0 to log a user in (using their ID as a way of remembering the user) but then I found out that due to how the spec of OAuth 2 works, hijacking tokens would allow a malicious user to impersonate another person. Which is why it's stated that you shouldn't use OAuth 2 as authorization.
But then I have been reading that providers as such as google and facebook have decided to go away a little from the standard and ensure that such attacks are not possible. So my question, what OAuth providers are safe to use to gather a users ID to be used to log them into my service.
Also, facebook is offering another service called facebook login. From what I can tell it's OAuth but without the impersonation issue (obviously) AND the app creator cannot do other OAuth features as such as posting on behalf of the user without getting their app reviewed by facebook. Why would I use facebook login over OAuth which gives me all those permissions without review?
Thanks a heap everone
I want to use http://api.twitter.com/1/blocks/create.json?screen_name=xxxxxxx (Twitter API) to block particular friends or followers from my account with the use of Twitter & Account Framework in iOS 5,
So what should i do to solve this issue, because i just want to use Twitter account , don't want to use OAuth.
It generate an error like : HTTP/1.1 401 API is secure. Needs security Credentials
The Twitter API requires OAuth authentication. However, if you're happy with targeting iOS 5 and up you can use the in-built Twitter framework to perform the OAuth calculations on your behalf, which will save you a lot of time. Take a look at the documentation for TWRequest:
http://developer.apple.com/library/ios/#documentation/Twitter/Reference/TwitterFrameworkReference/_index.html
Actually you need to put parameters of post requests in the body. This is described in the OAuth tool description under Request query:
This tool is available on the right of every rest API documentation page like this if you are logged in
You can use apigee console for twitter to test it but you will get the same error unless you include the screen_name parameter in the body
I need to post message on a certain FB page as a owner by cron, using php and ZF 1.1.X. For this small issue, I don't want to create a full OAuth stack. Is it possible to communicate with FB API (it's desirable, PHP SDK for FB) without it, such as twitter with his precreated access tokens (Access token, Access token secret)?
As long as you need an active user access_token to retrieve desired data this is not possible to skip OAuth flow.
Without authenticating user you only have application access_token (in old format APP_ID|APP_SECRET, but it's still works) and only limited access to most of Graph API endpoints and Application settings.
Actually there is nothing hard in implementing the user authentication with OAuth flow and it is completely transparent with usage of PHP-SDK.
Just look at the sample code in documentation for server-side authentication
Yes, you need to build an app and then authorize the page via the app while requesting the manage_page permission.
You should make yourself familiar with the Server Side Auth process as well.
Are services like Facebook and twitter using the same oAuth mechanism for their own (mobile) apps as the rest of us? Or are the using some kind of "special mode" in oAuth which bypasses the permissions stuff etc. ?
Would really like to know how they are authenticating their users.
Facebook is not using oauth and have special login/private API for their own purposes. Only Facebook is 1st class citizen for these APIs and they don't need to bother with public APIs.
Facebook's iPhone,Android,etc apps can log users in directly with username and password and create a new Facebook session directly, but other apps using the API need to use Oauth to get a user access token
If you're using android or iphone SDKs, this can be without the user needing to log in again, they simply need to authorise the app in a dialog, which is rendered by the Facebook app and uses the session created by the Facebook-supplied app
yes, they use oAuth
Twitter oAuth
Facebook oAuth
Facebook Connect is based on OAuth 2.0. In OAuth 2.0. SSL is required while signatures are not required for the actual API calls once the token has been generated. It has only one security token.
Twitter uses 1.0a. OAuth 1.0 requires client to send two security tokens for each API call, and use both to generate the signature.
If a website uses Facebook Connect, it seems like the new Facebook Graph API way of logging in is
that it will give an fbs___appID___ as a cookie, with access_token inside, and there are also the expires, session_key, and sig.
Why is a session_key and sig needed? Isn't the access_token by itself enough? Is the session_key suppose to live longer than the access_token?
How does that compare to the old Facebook REST method, which has the auth_token and the 2378942398472398473_session_key and 2378942398472398473_ss?
What you are asking about has nothing to do with the Graph API or Rest API. This is purely about the authentication system. The new authentication will provide you with the access token and the other properties you listed. The only value you need to worry about is the access token. This is used for all Facebook API calls now. The other values such as sig and session_key are only used by the facebook frameworks to validate that the data is authentic. i.e. From facebook, not a spoofed cookie.
The old authentication system, with the old cookie names, has been phased out and no longer will work. There are a number of differences with the old system and the new system, but that really doesnt matter. The point is, use the new OAuth authentication to get an access token and use the access token for all your api calls.
You can read more about the new Facebook authentication here: http://developers.facebook.com/docs/authentication/