I'm writing a VC++ app and I would like to allow users to login via Facebook. Looking through the documentation, it looks like they only support php on servers, JavaScript, and native mobile clients.
Right now what I'm thinking of doing is to open a browser window in the app, have the user authenticate, and then grab the auth token to do native app calls.
The other thing I was thinking of is having the user enter the Facebook username and password into my app and then using that directly, but I'm not sure if that's allowed.
How do I authenticate a desktop app with Facebook?
Right now what I'm thinking of doing is to open a browser window in the app, have the user authenticate, and then grab the auth token to do native app calls.
Actually you are on the right track: Facebook provides you with a so called "Manual Flow".
So this is how you authenticate your users with Facebook in your app in three steps:
Step 1
When the user should login to Facebook, open the embedded browser and point to this url:
https://www.facebook.com/dialog/oauth?client_id={app-id}&display=popup&redirect_uri=https://www.facebook.com/connect/login_success.html
Three things to note here:
Of course, you need to replace {app-id} with your application's id.
The redirect_uri must be set to https://www.facebook.com/connect/login_success.html when using a desktop application (that's your case).
You can also specify additional parameters, for example if you need to request extended permissions from the user (publish_actions, etc.). See the full list of optional parameters for more information.
Step 2
Make sure you have enabled the following switches in your app's advanced settings:
For security reasons, you should enter https://www.facebook.com/connect/login_success.html under "Valid OAuth redirect URIs", but it worked for me without explicitly setting this.
Step 3
Now the redirection by the Facebook servers should navigate the browser window to the redirect uri from above. It will also include the access token in the uri's fragment as follows:
https://www.facebook.com/connect/login_success.html#access_token=ACCESS_TOKEN...
Use the ACCESS_TOKEN in order to make any subsequent calls to the Facebook API - et voilà!
Related
I build API for post on my community of VK. But I check my permission for my app, and I have all permissions, but not load WALL permissions.
In the scope for OAuth, I put all scopes and not work the WALL. I check the "Api.console" and they have "Access to Wall - The application has access to your wall", but in my app not appear.
This is the response:
{"error":{"error_code":15,"error_msg":"Access denied: no access to call this method","request_params":[{"key":"oauth","value":"1"},{"key":"method","value":"wall.post"},{"key":"owner_id","value":"-*********"},{"key":"from_group","value":"1"},{"key":"message","value":"New post on group wall via API."}]}}
I check other services and if work.
You can't call wall.post (and a lot of other methods) with a non-standalone applications. It seems like your VK application is of type Website or iFrame - they have limited access to the API methods.
However, while you can't call this method from non-standalone applications, can via the Open API (it's a JavaScript SDK for Website applications) or the JavaScript SDK for iFrame applications.
When you call wall.post via these SDKs, a confirmation window will appear where the user needs to confirm the wall post before sending it:
Standalone applications are designed to be used in apps like mobile or desktop clients or browser extensions (because they don't have CORS limitations and may read any tab). There is absolutely no ways to get a user's standalone access token without limitations if you are trying to authorize them via website.
If you are building website or something and need wall.post for service purposes (e.g. news cross-posting), then you may get your token and save it anywhere in site configuration. Open this address:
https://oauth.vk.com/authorize?client_id={APP_ID}&scope={PERMISSIONS}&v={ACTUAL_API_VERSION}&response_type=token&redirect_uri=https://oauth.vk.com/blank.html
{APP_ID} - your standalone application ID (may be found in application Settings).
{PERMISSIONS} - comma-separated list of permissions. Don't forget the offline permission to get token that doesn't expire.
{ACTUAL_API_VERSION} - VK API version.
Example:
https://oauth.vk.com/authorize?client_id=123456&scope=wall,offline&v=5.60&response_type=token&redirect_uri=https://oauth.vk.com/blank.html
Note that redirect_uri=https://oauth.vk.com/blank.html is required to get token without the above mentioned limitations.
After you grand your application access to your account, access token without limitations will appear in your browser address bar. Just copy it, save in your configs and feel free to call any methods you want.
Late but...for this you need to first create a sort of "demo" app for VK using the standalone app type which would issue you an access token inside the address bar when you set the redirect link to https://oauth.vk.com/blank.html
This access token would allow you to share to your personal profile wall.
Then you need to contact VK support and display your app in action. Once they approve it then you'd be able to use a "Website" app that has OAuth style authentication
Our website runs in public computers and the browser is restricted to our own site. Facebook needs a redirection for security reasons. Can this be avoided somehow?
If not, which are the urls I'd have to allow/unlock?
Have a look at
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2#login
You need to use the following structure:
https://www.facebook.com/dialog/oauth?client_id={app-id}&response_type=token&redirect_uri=https://www.facebook.com/connect/login_success.html
Have a look at the hints in the blue box at the bottom of the docs paragraph:
When using a desktop app and logging in, Facebook redirects people to the redirect_uri mentioned above and places an access token along with some other metadata (such as token expiry time) in the URI fragment:
https://www.facebook.com/connect/login_success.html#access_token=ACCESS_TOKEN...
Your app needs to detect this redirect and then read the access token out of the URI using the mechanisms provided by the OS and development framework you are using. You can then skip straight to the Inspecting access tokens step.
The Facebook Platform Policies section 1.6 clearly states
Your website must offer an explicit "Log Out" option that also logs the user out of Facebook.
The Login Flow for Web without Javascript SDK says on Logging people out
You can log people out of your app by undoing whatever login status indicator you added, for example deleting the session that indicates a person is logged in. You should also remove the stored access token.
On the other hand the Login Flow for Web says about Logging people out
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
So in my understanding the Login Flow with JS SDK does what the policy says, it logs the user out of Facebook as well. How do I implement the Login Flow without JS JSDK correctly, such that i do not violate the Facebook Platform Policy? So far i don't see that the Graph API offers a similar functionality.
That should be easy, looking at the PHP SDK’s method getLogoutUrl, that creates an URL of the following scheme:
https://www.facebook.com/logout.php?next=FOO&access_token=USER_ACCESS_TOKEN
For FOO you just place the URL of your website where you want the user to be redirected to after they are successfully logged out of Facebook (don’t forget to properly URL-encode that value), and USER_ACCESS_TOKEN should be self-explanatory. (You need an active user access token to log the user out of Facebook – obviously, because otherwise every site on the web could just redirect me to this address and log me out of Facebook, without me actually wanting that to happen.)
I know that facebook allow me to specify multiple domains for my app.
But in the "Website with Facebook Login" i can only specify one url.
Is it possible for me, to authenticate users on domain.se, domain.dk and domain.net with the same App ? Or should i still create one app, for each domain ?
It is technically possible to use Facebook Connect on multiple domains, there are some limits (5 domains max).
So the key to doing this is adding all domains in the App Domain field under your app settings.
The PROBLEM, however, is that Facebook only lets you add domains that are derived from your Canvas URL or Site or Page tag URLs, so if you try to enter anything else you get an error that looks like this:
The SOLUTION is to create App on Facebook, Website, and Facebook Tab using the ADD PLATFORM button and then put in URLs that point to your other domains. Here is an example of what I mean:
If you use a unique domain for each field you can max out with 5 different domains. I have tested this technique with up to 3 domains, but i think it should work for all 5.
Note: Facebook admin features change from time to time, so all of this is subject to change
As long as you listed all the desired App Domains in application settings you should be able to authenticate users on any of them.
"Website with Facebook Login" is really only intended to be used as link to your site/application.
Update 2 (July 2016):
App domains must match the domain of the Secure Canvas URL, Mobile Site URL, Unity Binary URL, Site URL or Secure Page Tab URL.
Update (December 2013):
At the time of writing original answer it was possible to list any domains in application settings but from that time the UI of Application Settings (as well as way of handling Application Domains) changed at least couple of times, at some point you could only list domains that derive from one of application's canvas pages.
As of December 2013 it is possible (again) to list domains that do not derive from application canvas URL.
Assuming your domains are being served by the same web server and you have access to that web server, you can use the manual login procedure: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow to login from as many domains as you wish.
Assume your domains are site1.com,site2.com.... Instead of using the Facebook javascript API, you will simply place a plain old Log In with Facebook button on each site which will redirect the browser to the facebook login page as described in the above article. In the state variable you can specify a code which indicates which of your sites is requesting a login. In the redirect you will use a single service domain which you assign to your web server (e.g. fb.mywebserver.com) and which you specify as the verified redirect url in the facebook login settings page. All the sites will redirect to this same url, avoiding the problem of supporting multiple domains.
Once the user has logged in, the browser will redirect to fb.mywebserver.com and pass it the state, which tells you which site is requesting login and a code which you can use on the back end to retrieve the user's info using the Facebook graph apis. You store this info with a uid in your data store then using the info in state, you redirect to to the appropriate site including a parameter that indicates a Facebook login (e.g. site1.com?fbc={some uid}). The browser will obediently then call site1.com?fbc... Your web server will receive this request and detect the fbc parameter which tells it to associate the corresponding Facebook logged in user with this site. It can then retrieve the logged in users info using the uid and, for example, return a session cookie for this user along with the page. If you generate the page on the server you can, of course, also include a welcome "user" or alternatively, your client code can do an ajax call to retrieve that information.
From the user's standpoint they press the Login with Facebook button, are redirected to a Facebook login page where they login and then are redirected back to your site in a logged in state. Not quite as nice as having the login popup but likely acceptable.
A similar process can be used for google logins as well
Best thing I've found to do in the development/production scenario is add a "Test App", then add a platform for your development web site - as you have to provide where the "page tab url" lives if you use that as a platform.
Facebook requires your "page url" to be live / accessible if you need to apply for status or permission review.
This got me around the "login in development" / "login in production" scenario.
I am creating a SaaS that will allow users to interact with it via their web applications. I would like to create a CAS type login mimicking Facebook connect so when you click the 'Login' button on the users website it will popup a window for you to login with my SaaS credentials.
I do not want the SaaS users site to be able to access the users login credentials so this is why I thought of CAS. However, it doesn't look like Facebook Connect redirects to the CAS server. It looks like they just popup a window to the facebook login then create a cookie once the user successfully logs into facebook. How then does the Facebook Connected site access that cookie?
I am wanting to basically be able to keep the end user on the current website without being redirected to my login application. I would like to mimic what facebook does with just popping up a little window and have them login then refresh the page after they login but I am not sure how to go about this.
Any ideas?
Facebook uses a third party cookie: they set a cookie on your domain that you can access to get the necessary credentials.
EDIT: the easiest example would be to look at PHP's setcookie function. Notice that there is a domain parameter. If you change the domain to match the domain of the actual website that initiated the authentication action then you'll be able to set a third-party cookie.
Note that on IE there are certain headers the domain that initiated the authentication action needs to set to allow your third-party cookie to be set. See http://www.spamcollect.com/archives/33 for a short writeup of how that works.
If you are working in a different language you'll need to use whatever cookie management functions they offer.
Another option may be to do this with CAS programmatically using the REST client.
https://wiki.jasig.org/display/CASUM/RESTful+API
In this way you could take the users details and login to CAS without being redirected.
Facebook uses Cross Domain communication which is what I will be using.