Facebook provides some documentation on the parameters of oauth login.
Login Dialog OAuth 2
Parameters are:
client_id = Your App ID
redirect_uri = Your App Website URL
display = page, popup, iframe, async, touch. How to display login.
scope = permission names. Permissions your app is asking the user to grant to your app.
state = a string included in the response back to your app.
response_type = code or token or both. Used in different ways depending on authorization flow.
Is there more information about different types of oauth functionality and the parameters that go with it?
I want information on how to structure the URL for oauth. I know of a couple of configurations. For example:
https://www.facebook.com/dialog/oauth?
client_id=YourAppID
&redirect_uri=The URL that you designated in your App Settings for your App
&response_type=token //Whether you want a `code` returned, or a `token` returned, or both
&scope=publish_stream // scope prompts the user for the type of permissions being asked for
I saw a discussion that showed this:
https://graph.facebook.com/oauth/authorize?
client_id=123456789
&redirect_uri=http://example.com/
&scope=publish_stream,share_item,offline_access,manage_pages
Note the difference's of the URL's:
/dialog/oauth?
or
/oauth/authorize?
What does authorize do? Does it GRANT permissions instead of ASKING for permissions? Where is the documentation on this?
https://graph.facebook.com/oauth/authorize is also to logging in the person -- Like authenticating a person and to take permission from person whether to access the requested permissions by app.
oauth/authorize is graph api call.
I think major difference may be when you want to build the login flow manually you should use /oauth/authorize.. else if you are using javascript/Apps api provided by facbook it uses /dialog/oauth. Apps normally need to confirm that the response from the Login dialog was made from the same person who started it. If you're using Facebook's JavaScript SDK it automatically performs these checks so nothing is required, assuming that you're only making calls from the browser. More over we can make graph api calls secure by applying appsecret_proof.
Related
I had made a Facebook APP for authorization of users on my Website, I am using OAuth Method. In My Site i have kept a Feature called "Login in With Facebook", when user clicks he gets redirected to Facebook with link
https://www.facebook.com/v2.2/dialog/oauth?client_id=<ID>&redirect_uri=<mysite>&state=<some random hash>&scope=
This looks fine enough, Now Facebook asks for Allow and when Users clicks allow, I get a URL Back on my site with a Special parameter called &code= .. It looks like
http://mywebsite.com/facebook&code=<some huge Random code>&state=<hash>
Now, i would like to know what exactly is code= parameter value says, is it the access Token of the User because i don't see special parameters like access_token=. So can somebody tell me what is code means in OAuth and is it same as Access token. ?? How can i verify it.. Please input your thoughts
Your app needs to exchange that code server-side for an access_token
There's specific documentation for this flow but essentially you take the code, your app ID, app secret, and the redirect_uri you used when opening the dialog initially, and make an API call to exchange the code for an access token
You then use the access token to make API calls on behalf of the user
In my mobile app, users are allowed to login over facebook (standard azur mobile service facebooklogin).
Now i want to take that to a next step. Based on the users facebook login, i want to access his profile over the facebook .net sdk.
After the login i want to call a "getUserInfo"- Method which returns the info from facebook. So the whole facebook access should happen on the backend side.
Is this possible with azure and if so, whats the best way to do so?
In your Mobile Services .NET backend, you can always get the Facebook token by calling (within a controller):
ServiceUser user = (ServiceUser)this.User;
FacebookCredentials creds = (await user.GetIdentitiesAsync()).OfType<FacebookCredentials>().FirstOrDefault();
string accessToken = creds.AccessToken;
Then you can communicate with the Facebook Graph API using that token.
If there is a particular set of capabilities you want to be able to access beyond the public profile, you may want to add permissions to your login request via the MS_FacebookScope application setting. The value is just a comma-separated list of the scopes you wish to use.
You may find this blog post helpful in explaining the above in more detail:
http://azure.microsoft.com/blog/2014/10/02/custom-login-scopes-single-sign-on-new-asp-net-web-api-updates-to-the-azure-mobile-services-net-backend/
The Facebook Platform Policies section 1.6 clearly states
Your website must offer an explicit "Log Out" option that also logs the user out of Facebook.
The Login Flow for Web without Javascript SDK says on Logging people out
You can log people out of your app by undoing whatever login status indicator you added, for example deleting the session that indicates a person is logged in. You should also remove the stored access token.
On the other hand the Login Flow for Web says about Logging people out
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
So in my understanding the Login Flow with JS SDK does what the policy says, it logs the user out of Facebook as well. How do I implement the Login Flow without JS JSDK correctly, such that i do not violate the Facebook Platform Policy? So far i don't see that the Graph API offers a similar functionality.
That should be easy, looking at the PHP SDK’s method getLogoutUrl, that creates an URL of the following scheme:
https://www.facebook.com/logout.php?next=FOO&access_token=USER_ACCESS_TOKEN
For FOO you just place the URL of your website where you want the user to be redirected to after they are successfully logged out of Facebook (don’t forget to properly URL-encode that value), and USER_ACCESS_TOKEN should be self-explanatory. (You need an active user access token to log the user out of Facebook – obviously, because otherwise every site on the web could just redirect me to this address and log me out of Facebook, without me actually wanting that to happen.)
I'm writing a VC++ app and I would like to allow users to login via Facebook. Looking through the documentation, it looks like they only support php on servers, JavaScript, and native mobile clients.
Right now what I'm thinking of doing is to open a browser window in the app, have the user authenticate, and then grab the auth token to do native app calls.
The other thing I was thinking of is having the user enter the Facebook username and password into my app and then using that directly, but I'm not sure if that's allowed.
How do I authenticate a desktop app with Facebook?
Right now what I'm thinking of doing is to open a browser window in the app, have the user authenticate, and then grab the auth token to do native app calls.
Actually you are on the right track: Facebook provides you with a so called "Manual Flow".
So this is how you authenticate your users with Facebook in your app in three steps:
Step 1
When the user should login to Facebook, open the embedded browser and point to this url:
https://www.facebook.com/dialog/oauth?client_id={app-id}&display=popup&redirect_uri=https://www.facebook.com/connect/login_success.html
Three things to note here:
Of course, you need to replace {app-id} with your application's id.
The redirect_uri must be set to https://www.facebook.com/connect/login_success.html when using a desktop application (that's your case).
You can also specify additional parameters, for example if you need to request extended permissions from the user (publish_actions, etc.). See the full list of optional parameters for more information.
Step 2
Make sure you have enabled the following switches in your app's advanced settings:
For security reasons, you should enter https://www.facebook.com/connect/login_success.html under "Valid OAuth redirect URIs", but it worked for me without explicitly setting this.
Step 3
Now the redirection by the Facebook servers should navigate the browser window to the redirect uri from above. It will also include the access token in the uri's fragment as follows:
https://www.facebook.com/connect/login_success.html#access_token=ACCESS_TOKEN...
Use the ACCESS_TOKEN in order to make any subsequent calls to the Facebook API - et voilà!
I have created an App on facebook and I am using this app to authorize an user via dotnetopenauth.
Here I would pass APPID and APPSECRET and get the token which would be used to call Facebook Graph to get facebook user details.
If I'm doing this for the first time, user would be asked to enter username/passowrd on the Facebook website and then the session is created in the browser and it will redirect to my website as a Facebook user. This means that if I open a new tab in the current window and open facebook, user will see his/her page directly without asking for username/password. - this is obvious and understandable.
// code
request = WebRequest.Create("https://graph.facebook.com/me?access_token=" + Uri.EscapeDataString(strAccessToken));
response = request.GetResponse();
My query is:
After the scenario above, if user logs out from Facebook website OR I close the browser window, the facebook session is lost. However, I still have the access token (string in the above code) that I got while authenticating.
So, As of this moment I am not storing any user information from Facebook (not even cookies or anything else). I am just requesting user to authorize my application as a Facebook user. When user does that, I get the access token which I can use it to make calls to Graph and REST APIs. This access token usually remains same, so I really dont need to pass the applicaition id and secret to get the token next time onwards. Actually I can request the graph APIs and REST APIs with the stored token and request user details. I have tested this and works fine.
What I am looking for is, if user opens www.facebook.com, user should see his/her personal facebook page which obviosuly is possible only if I have a session in the current browser. Hence, my question was: how do I use my access token OR what call should I make with my access token so that I can set the browser session for the facebook user? Is it possible technically?
Regards,
AG
No. Your access token is used by your web server to call facebook. It's impossible (and undesirable) for this to impact the user's browser in a way that would set a facebook.com cookie so that the user would be implicitly logged into Facebook by your use of the access token.