How can I use the existing facebook access token without additional authentication. I have a server system which will give valid facebook access tokens to clients.
The flow looks like this:
Client redirects user to facebook through server API
User authenticates
Server API handles redirect
Server API sends access_token to client (via WebSockets)
Client does job with graph API
Is this possible when using parse.com? (IOs and Android SDKs)
Related
I have a Web API developed with ASP.Net Core. I also have a client app developed with Next.js and it uses NextAuth.js to handle the authentication.
In the UI, when a user is authenticated, I have access to the access token from Facebook.
My question is how can I use this access token to authenticate the requests sent to the back-end API.
This is the back-end code used to register the Facebook authentication scheme (it is all standard):
builder.Services.AddAuthentication()
.AddFacebook(
facebookOptions =>
{
facebookOptions.AppId = "<my_app_id>";
facebookOptions.AppSecret = "<my_app_secret>";
});
I want to construct a Postman request that can authenticate my user using a specific access token but I do not know where to put this access token and whether this is possible at all.
Just sending the request like this (without any modifications) results in visualizing the Facebook login page.
Your Asp.NetCore project integrates Facebook login. After logging in, the token you get can only access protected resources in the current project, such as: [Authorize].
If you want to access Facebook's resources, you need to write your own code to get the token and then access the resources.
1. How to Get Facebook Access Token in a couple of minutes: 2020 guide
2. How to get current user access token from Facebook SDK in C#? Not the App access token
After you get facebook access_token, then you can access Facebook's resources.
I have a website using ASP.NET Core, which uses MS Identity and external login from Facebook.
I have a Xamarin app that logs to this backend via login/password using Xamarin.Auth. I am wondering which is the best way to allow external login to Facebook from the app?
Should I create a separate Facebook app for Android or should I use the same as the website?
What would be the flow?
I am thinking of something like:
Using the Facebook sdk to log in
Pass the token to the server
Check from server side if the email exists or the FB user id exists
If yes check whether the app is registered using Facebook and if yes login
If no create an account
But until now I haven't stored the user's Facebook Id (only the email, that the user can also modify).
Xamarin.Auth is client library and currently has no server side implementations.
So, your server is Protected Resource and Facebook will be Authorisation Server. After you obtain your tokens (access_token and refresh_token) you would try to access Protected Resource presenting access_token as a credential. Protected Resource will perform token introspection (this could be separate service-server) which will decode the token, lookup username (mail) and check expiration of the token.
This is not specified in draft (RFC) so check how FB does token introspection.
Few links for more info:
How to validate an OAuth 2.0 access token for a resource server?
http://blog.api-security.org/2014/10/oauth-20-token-introspection-profile.html
https://www.quora.com/In-OAuth-2-0-how-do-resource-servers-assert-a-token-issued-by-an-authorization-server
https://connect2id.com/products/server/docs/api/token-introspection
https://leastprivilege.com/2015/12/27/oauth-2-0-token-introspection-middleware-for-asp-net-5/
I'm investigating how to use id server to provide auth services for a native mobile app that will talk to a Web API that we are developing. I started off with the flow as described in the MVC walkthrough - so the user is redirected by ID Server to FB (with acr_value/idp) and then redirected back after sign-in, where I can do the claims transformation and issue a token for our application.
The developers of the native client have concerns about this though, and would rather use the FB sdk to log the user in to FB, instead of having id server issue the token after redirections. The following issue on the previous version of ID server explains this well:
https://github.com/IdentityServer/IdentityServer2/issues/503
How would I go about doing this with id server 3?
This is a perfect use case for a custom grant.
1) first do native FB login
2) send FB token to IdentityServer token endpoint using custom grant
3) write a custom grant validator that validates the FB token
4) return JWT token for your APIs
Documentation:
https://identityserver.github.io/Documentation/docsv2/advanced/customGrantTypes.html
I have a web api which I want to secure using ACS, but I want to use ACS for authorization only. The flow I want is:
The user is redirected by the app to authenticate with Facebook and
the app receives a Facebook token.
The app sends a request to ACS with the Facebook token and receives
a new token, which he can use to access the API.
The user calls the API and passes the token received from ACS as
authentication/authorization for the API.
Is this flow possible? How do I set this up on the ACS side and the API side?
I already have the Facebook authentication working in the app. I would like to leverage the token I am already getting in order to call the API.
I am developing a Facebook application for mobile platforms. The mobile part is being developed with PhoneGap and the server side is Python / Django.
The mobile app should be able to query Facebook API directly. Server should be able to query Facebook API on the users' behalf too. Thus the user should be authenticated both with Facebook and on the server (Django), and the server should have the user's Facebook authentication token.
What would be the best flow for authenticating the user on both sides? Is it reasonable to authenticate on Facebook via mobile app, then send the token to the server and create a django session on the server?
I had a similar requirement: jQueryMobile app with Ruby On Rails backend. In my case, I implemented the Facebook authentication on the backend using omniauth. The backend retrieves the Facebook access token and passes it to the jQueryMobile frontend. The frontend then uses JSONP to retrieve the user's friend list. The advantage of this approach is that there is a single point of authentication -- Facebook auth at the backend.
You can find a demo of my app and the full source code at http://csgrad.blogspot.com/2011/07/jquerymobile-app-with-facebook.html