I have a requirement in Liferay to do Facebook SSO to all my portlets (eg: Socialcom) after a successful login.
The Socialcom portlet will display the contents of socialcom website (as of now)
Steps
User logs in to portal using his facebook credentials
Portal displays Socialcom portlet & some other portlets (supporting Facebook SSO in their website)
Each portlet should get authenticated automatically via the facebook SSO.
I have enabled facebook authentication for liferay which works fine.
Any help for doing SSO for individual portlets will be appreciated.
Thanks,
Siby
I assume that you want your portlets to use the facebook API to get more information or to trigger action/activity?
While I don't have too much experience with this, keep in mind that this is a different usecase: In SSO we only want to have the user's identity. As Liferay is not doing anything in addition with this information, I expect that there's no more information that you'll find here. The portal's job is to let you know who is currently logged in. You typically don't worry about the login process - e.g. if they're signed in through Facebook, OpenId, locally or through any other means. Then their account can have the relevant facebook identity, but you don't want the portal to keep the permission to make arbitrary calls to Facebook: After all, there can be other portlets that are deployed, that also make use of this connection.
I'm assuming (hoping it is this way) that you'll have to get the credentials and permissions for Facebook-calls yourself and share them with all portlets that make up your own application.
If my expectation is not met, I'd expect this to be a quite big security issue: Just because you want your portlets to be able to call into facebook, you don't want mine to be automatically authenticated as well. Trust me, you don't ;)
Related
Thank you very much for visiting this topic. Currently I'm working on a smaller application that can be installed on facebook pages (not accounts, but separately created pages, like company or fan pages on facebook). I managed to fire up the php SDK for it, even made successful user authentications and played around with access tokens (only user access tokens though).
However my problems arose when I've tried to determine if the current user is an administrator for that facebook page (where the application is installed).
I've done numerous google searches and research into this topic, but sadly I've realised that most tutorials, questions or related topics are all outdated, or they have obsolete solutions.
I kept running into the 'manage-pages' permission when people advised me to go for page access tokens. However in my opinion asking facebook to grant me manage-pages permission, then prompting users to allow me access to everything on their pages during authentication seems a bit far fetched.
I do not want to modify or read their page contents in any way. I simply want a mini admin page for the application that can be opened by only users that are admins of that certain page.
I've seen an edit url that can be added in the settings of the application. However I could not find out what it does, or how can I access it if I add an url there. The related documentation on facebook seems to be out of date.
I would be very grateful if someone can point me in the right direction with this. Basically I'm looking for a method, that does not require me to use the 'manage_pages' permission, but I can still check out if the current user viewing the installed application on the page is an admin or not. (I wonder if facebook supports an other method for this)
Thank you very much for any kind of tips or aid in this matter!
Facebook never gives of fan pages or other pages access.
You have to communicate with facebook page admin and its give a token.
Suppose if you have a permission than it generated token will be you use in your application
how do you do?
1 communicate with admin.
2 Admin generat token from https://developers.facebook.com/tools/explorer
3 go to tools and support than it generated token you use in your application.
Note: "Page of admin can it do to generate token"
I'm running a Classic ASP website, that has its own user authentication and login mechanism. For example, In order to remember a logged-in user, ASP creates an encrypted cookie and a 20-minute session for each connected user. If the 20 minute session is elapsed, the server revives the session from the cookie saved previously, and saves some data regarding the user to the database.
I want to to be able to allow users to connect with their Facebook or Google identity, but the mechanism used by Facebook or Google is based mainly on Javascript and on client-side code.
How Facebook or Google login can be used while maintaining server side code in ASP? (So that the ASP server can still manage the session and save data regarding it, for example whenever a session is revived)
For me somehow it seems that it may become less secure to use client-side authentication as the code may be altered easily. Isn't this the case?
If I use client-side javascript and log in with Facebook, how would I update the user data retrieved from facebook back into my database, for example the user's first and last name?
For me it sounds that it should be a "server-to-server" communication (between my ASP server and Facebook's or Google's servers) and what they propose is a "client-to-server" communication ... Any ideas how this can be done?
Any help or explanation would be very much appreciated! Thanks.
I'll try to address your Facebook-related questions one by one. However, I will not give you an implementation or any ASP-specific feedback, but only a rough approach. Additionally, I recommend that you study Facebook's documentation on Facebook Login extensively to further your understanding of the matter.
1. Facebook documents the server-side OAuth 2.0 flow in their Manually Build a Login Flow guide. Basically you redirect the user to a specific FB URL that (in the parameters) tells FB to render the "Login with Facebook" dialog, and which permission scopes to ask for. Once the user approves the Facebook Login for your webapp, they will be redirected back to your web app, e.g. with an OAuth token in the query string, that your webserver can then exchange for a user access token.
Once you obtained a user access token, you could e.g. store it in your web app user's session.
2. I don't know what you mean. Client side apps are fairly secure. Perhaps you can convince yourself about how secure JS apps are when reading about things like CORS.
3. If you only use JavaScript (e.g. Facebook's JS SDK) and you want to store e.g. app-scoped user IDs on your server, you need to expose an endpoint on your server that your JS application can submit that kind of information to.
4. You state
what they propose is a "client-to-server" communication
Who are "they", and where are the proposing this? The resources I linked to in 1. should explain how you can use Facebook login in a pure server-to-server way.
my question relates to how to log users into LinkedIn (SP) automatically from a company web portal that I am making. (As opposed to how to authenticate user on my website using linked in as the IdP).
I need my website users to be able to configure their LinkedIn account username and be automatically logged in to LinkedIn when they click the LinkedIn icon. I achieved this with Sales Force by use of an uploaded certificate and a SAML token and ideally would be able to use a similar approach with LinkedIn.
Is this possible? Has anyone else managed to achieve this and what is the best approach?
We have enabled SSO for our Google Apps Domain. When users try to access "http://mail.google.com/a/domainname.com" they get redirected to the custom SSO Sign in page url. But when url http://google.com/a/domainame.com is accessed users are able to login to google apps users hub without being redirected to SSO sign in page url. As per my understanding, this kind of login should be only enabled for administrator of domain. Why is it happening for normal users of our domain.
How can we redirect http://google.com/a/domainname.com" url to custom sso sign in page. Please help. Thanks in advance.
You can't block people from logging into Google through 'local' credentials, if they know them: they need this for access via mobile devices, where you can't be redirected to a web page for SAML SSO, for example.
The normal solution is to change the password to something the user doesn't know.
Further, if you force 2-factor authentication for your users, this means a user can have one-time passwords for their mobile devices and still have an account password they don't know.
The www.google.com/a/yourdomain.com url points to google cpanel, which can never, ever be restricted through custom SSO, as this is your only recourse to disable SSO. If anything goes wrong, you need to hit that url to turn off SSO or change SSO settings.
If you wish to restrict access to cpanel, please look into organizations restrictions / superuser privileges; you can restrict cpanel superadmins to only one or two trusted admins.
If you wish to have only a single admin account with access to cpanel, but want to give some cpanel features to regular users, check out some third party apps in the google marketplace; gPanel is especially good as it gives you fine grained control over who can access what. Couple that with SSO, and you get a complete logging / monitoring / access control solution.
Firstly I understand OpenId is for authentication and OAuth is for authorisation and unlike other questions on the site I am not asking which should be used for which but whether anyone can advise a solution for my issue.
I want to allow users to login to my site via their LinkedIn/Twitter/Facebook account once logged in say via LinkedIn they could also then authorise their Twitter and Facebook account as a optional login method. This would allow the user to authenticate via any of the three but end up with their user account on my site as the end result.
I also want to use the authorisation they have provided to get basic user details (profile pic/name etc) and post status updates.
I don't want to ask a user to login with their account via openId then have to authorise the same account again via oauth to allow my site to publish to their service feed and have to do this for each of the 3 services.
Any ideas or issues to this issue?
If you are using ASP.NET MVC, DotNetOpenAuth is an excellent solution for supporting OpenID/OAuth sites. StackOverflow is using it, and they are quite picky for the code they use in the site.
The integration if OpenID with DotNetOpenAuth is quite straightforward. I have not tried OAuth, but I don't expect it to be of any less quality.
Unfortunately, Facebook does not support OpenID/OAuth, so you need to use a different solution for it. The one I use is Clarity Consulting's Facebook Developer Toolkit. It works, although I do have certain complaints about the quality of the code; unfortunately I haven't found anything better yet. (Note: If anyone knows a better alternative, by all means let me know)
The basic integration of Facebook Connect with the Facebook Developer Toolkit is also relatively straightforward. However, their object model is somewhat messed up, due to their attempt to stay as close to the Facebook APIs, so the HTTP API patterns are bleeding through a lot. Still, it does the work.
Update: Now that Facebook announced that they'll be supporting OAuth 2.0, DotNetOpenAuth might turn out to be the best solution.
Have you looked into RPX?
https://rpxnow.com/
I don't want to ask a user to login with their account via openId then have to authorise the same account again via oauth to allow my site to publish to their service feed and have to do this for each of the 3 services.
I'm afraid you'll have to connect the user's account to each of the 3 services individually. What platform are you using to build your app? If it's Ruby, then a gem like OmniAuth looks promising.