PhoneGap InAppBrowser access token sessions not connecting - facebook

I am using PhoneGap 3.0.0 and trying to create a 'simple' login and connection with facebook in order to use Facebook's post dialog to post on behalf of my application to users' Facebook pages.
Here is my understanding of how the connection logic should work:
1. he application calls out facebook login in a new window (within the application itself), but it is linked to our app data
2. so, when FB gets a successful login, they redirect to OUR server, but now with a live Facebook accessToken
3. with it, in my server, I get the session data of the person
4. then automatically, that mini-browser within the application closes
5. and comes back to the application
6. now I make an alert of the facebook token
7. and then I require our server for the user's token from my application
8. once I retrieve our Token, I can initiate the automatic load of information into the application... that's it
9. when the mini-browser closes and we get back to the application I retrieve our session token, automatically
** The problem here is that this action is not happening, the session register is not happening in our server for some reason. It does work in the test module that I developed, but not in the complete application even with the same module... that's the problem here. I get perfectly the access token from facebook, but I don't get it from our server... like their session in our server never gets registered.

Related

Facebook Access-Token for Server Side

I'm trying to create a server side access to a user's Facebook resources (photos/albums/etc).
I want that the user will authenticate once using its native mobile application, and that the server will be able to access user's data without the user interaction.
I'm trying to understand the steps I need to take in order to make it work.
I've read Facebook's: Login for Server-side Apps but I can't understand how to use the scenario proposed in there - because my server has nothing to do with user interaction (I cannot redirect the user to some login dialog) - the server is performing its own operation in the background whether the user is using its mobile application or not. What should I do upon token expiration for example?
More then that, I want that the user will be able to perform direct Facebook operation on the mobile itself, without the server intervention.
As I see it, this is the flow I would expect:
User's launches a native mobile application.
The user authenticates using Facebook's SDK on the native mobile app.
The user received a special token, that can be converted at server side to an access-token.
The token will be sent to the server and stored there.
If the server needs to access user's Facebook data, it uses this special token and converts it to an access token.
When the token expires - the server can extend it, using the special token, without any user interaction.
What data should be sent to the server from the mobile application after authentication. And how should the server use this data to access user's Facebook resources anytime?
I'm using the C# Facebook SDK for the server. But I think it is not that important, I need to understand the mechanics.
Tokens expire if the user does not continue to use the application. This is by design--an application should not continue to access the user's account if the user stops using the application.
When a user logs into your application, a token is given to your application, along with an expiration date for that token. You can use that token from your client or your server until it expires. However, there is nothing your server can do to extend the token if the user does not continue to use your application.
If the user continues to use your application, you will have an opportunity to update your server token. For example, in the Android and iOS SDKs, tokens are automatically refreshed if the user uses your application to make a facebook request. At that time, you can transmit the refreshed token to your server.

how to get facebook signed request with titanium framework

I am developing iphone app through titanium which is communicate with drupal 6 server through services module.
My requirement is when user logged in to facebook from mobile, it treat as authenticated user from server side for further facebook operation performed by server.
So I am trying to get signed request for logged in user from mobile, but I am not able to get signed request for logged in user.
I called following function to open facebook login popup,
Ti.Facebook.authorize();
following listener execute after facebook login,
Ti.Facebook.addEventListener('login', function(e) { }
May i know how to get signed request after successfully logged in to facebook from device??
I have no experience in connecting to Facebook from Titanium, but installed one of their new example apps two days ago: https://wiki.appcelerator.org/display/guides/Example+Applications#ExampleApplications-ARti
This connects to FB, do not know in what way. You can download example code from GitHub, maybe you find it useful.

Why can't I use server-side flow oauth tokens for an iOS app feed dialog?

I am working on a product which has both a desktop web site and a native iOS application. We are providing Facebook connect as a login option for our users in both contexts.
My intention was to share the same Facebook tokens via a secure JSON API for use in both contexts: when a user signs in on the web, the token is stored to our backend so that when the mobile client next runs, it can download the token and use it as well, and vice-versa. (* The detailed reasoning for this approach I explain at the end of the question, and is not essential to the question.)
The problem: when the iOS client uses a token to preset a feed dialog, if that token is generated by the web using the server-side flow, the dialog webview renders an error:
"An error occured with {my app name}. Please try again later."
This is reliably reproducible:
Generate a new access token using the server-side flow. Make sure you request publish_actions permission since you'll be using the feed dialog.
Using an incognito browser window (to get an empty cookie jar), view the m.facebook.com page that the iOS feed dialog would render in its webview: https://m.facebook.com/dialog/feed?access_token=SERVER_SIDE_FLOW_ACCESS_TOKEN&app_id=YOUR_APP_ID&redirect_uri=fbconnect%3A%2F%2Fsuccess&sdk=2&display=touch
Alternatively to #2 you could do all the work (which I have done already) of creating a dummy iOS app with the Facebook SDK, instantiating it correctly and presenting the dialog. It's just easier to go straight to the m.facebook.com feed URL for the purposes of reproducing the error.
If the token was generated by the auth flow initiated by the native Facebook iOS SDK instead of the server-side auth flow, the above feed url works perfectly fine, as expected.
Additionally, either token (mobile or server generated) works perfectly fine for posting feed items directly via the graph api. The problem is really just with the mobile feed dialog.
Is Facebook intentionally disallowing server-side generated tokens from operating in mobile feed dialog contexts?
Is this a bug with the feed dialog endpoint on m.facebook.com?
Or, hopefully, am I doing something wrong?
Why do I want to share tokens?
Since the offline_access permission is being removed, each client (web vs mobile) can benefit from having the other client refresh the same token when the user is active. This will lead to fewer instances of token expiry, and therefore fewer cases in which users must re-authenticate from scratch.
Likewise, users are not asked so frequently to approve additional permissions, since each client can benefit from the other's permission augmentations.
The tokens you get from the server side auth are different from the ones on the client side (I look at iOS/Android as client).
The server tokens are long lived one (60 days) while the client ones are short lived (a few hours).
The server side flow adds another layer of security where your servers authenticate against the facebook servers, which is probably why you get a long lived token automatically when using this flow.
If you try the debugger with an access token you will receive information about the token, such as the "origin" of the token.
For example a token generated from a client side auth (using js) has "Origin: Web".
That means that facebook indeed differentiate between tokens.
I'm not 100% sure about this, but from what you're saying it does sound like facebook is limiting the UI to the usage of client tokens and not server side ones, probably because the dialogs let the user do things without the need of the app to get permissions, and so if you have a 60 days token your app can then use it instead of the user and do things on his behalf with out having his permission.
I'm just guessing here.
What I would recommend you is to use the server token only on the server side, and let the iOS client handle his own token.
According to the Handling Invalid and Expired Access Tokens guide, it states:
iOS native applications
API errors are handled by the FBRequestDelegate interface. When you
detect an access token is invalid or has expired, your application
will need to multi-task over to the Facebook iOS app. Assuming the
user has not deauthorized your app, they will be immediately
multi-tasked back to your iOS application with a fresh, valid access
token.
Which means that you don't have to worry about the token getting expired on the client side.

Can't Logout of my Facebook OAuth Session without logging User Out of Facebook

Per the SDK, I am using the logout.php with redirect:
https://www.facebook.com/logout.php?confirm=1&next={SOME URL}&access_token={ACCESSTOKEN}
It is logging me out fine, but it's also logging the user out of facebook. Isn't there a way of logging out of my OAuth session without logging out of facebook?
Yes, I ran into this same issue myself. Dont do logout.php or JS SDK's FB.logout(). Rather call the Graph API with an HTTP Delete command to me/permissions. That will kill the access token, remove the app from the user's app listing and maintain their browser's cookie for facebook. You can call it either server side or client side. Here's the client side Javascript SDK way:
FB.api("me/permissions","delete", function(response){/*do something if you want*/})
This is one of the many annoying things about developing on the Facebook platform. The only way to log out via a browser session is to use their javascript logout function or the redirect like you tried but either will also log the user out of Facebook which is very annoying from a users perspective. The problem is you can't access the cookie they set for your app to delete it due to cross-domain restrictions so you are stuck with the limited options Facebook provides. If you are not prompting for offline_access, you could just forget the users access token and it will expire after an hour. Although the problem still exists that the cookie is still set for within that hour.

Desktop Facebook Logout

I have a desktop application that uses facebook authentication in offline mode. There is no session key as the app returns me an access token.
It stores the access token and allows the user to post to facebook at other desktop app locations around an event.
The problem I'm having is that after a user goes through the oauth, I can't clear the session data for the next user.
I've tried deleting all the cookies, but that causes a facebook script error when the next user tries to authenticate...
I'm simply looking for a way to remove the session cache from the machine and not cause javascript errors...
This is the closest I've found to anyone figuring this out. It doesn't work for me, though:
http://forum.developers.facebook.net/viewtopic.php?id=84232
My problem is that I can't log the user out if they haven't authorized my app and returned an access token yet.