Update
This was reported to Facebook via https://www.facebook.com/whitehat/report/ on Dec 16th 2013 and Facebook responded on Dec 17th that the bug has long since been fixed.
I have retested this with my Facebook account (that I still haven't verified the email address on) and when using the Grap API Explorer tool it is not possible to get the email address of this account using the Graph API or using a FQL query.
Conclusion: The email address you get from Facebook using the Graph API or a FQL query is a verified email. If an account hasn't verified it's email yet it's not possible to get it.
Original Post
I am making a web app with SSO that is offering the user to sign in with either Google or Facebook. I would like users who have both types of accounts to show up as the same user in my system regardless of which identity they log in with. To achieve this I'm thinking of using the email address as the identifier to know if I should create a new account or if the user already exists.
To not introduce any security problems I must know that the email address is verified and actually belongs to the user. For Google the userinfo API can tell me if an email is verified or not, so there's no problem here. But I can not find anything like this in the Facebook Graph API.
Is it possible to know if an email address is confirmed on Facebook?
I know that there is a verified field, but that only tells if the account is verified and not the email address.
At first it looked like you are only able to use the Graph API for accounts where the email address has been confirmed. If the address wasn't confirmed I just got an error telling me that I had to confirm the email address first before being able to sign in to any third party site.
However this does not seem to be true for all accounts. In some cases it's possible to get accesses to all parts of Facebook even if you don't have a confirmed email address. One example of this is when you sign up with a #myopera.com mail address.
When you sign up to Facebook with a #myopera.com email address you get a message that your account has been temporarily locked as soon as you submit the sign up form. To continue you need to provide your phone number to verify your account and to "keep Facebook safe and free from spam" (sorry for the Swedish in the screenshot, this was before I could get into Facebook and change language to English):
When you provide your phone number you are logged in and Facebook doesn't nag you any further about that you have to verify your email address.
The only place where you can see that your email address is not yet verified is on the settings page:
The Mobile Settings that is usually not accessible before you have verified your email address is available and lists the phone number entered during sign up:
In addition to this it is also possible to log in to third party sites with an unconfirmed email address:
When I connect to the graph api with this user I can get the unconfirmed email address and the verified field returns true as expected since I have verified the account by adding a phone number. So obviously I can't trust that the email address I get from Facebook really belongs to the user that has the Facebook account.
Is there any other way of knowing if the email address is verified or not or do I have to verify it myself if I want to use it for identifying the user?
I was looking for an official Facebook statement regarding this issue and finally i found this: https://developers.facebook.com/docs/facebook-login/multiple-providers#postfb1, which clearly says that developer should not rely on the fact that email address is verified.
I've never used it, but you may be able to check with a FQL query of the user.email_hashes: http://developers.facebook.com/docs/reference/fql/user
Related
I am implementing an email verification service, with the purpose of confirming that the person registering is indeed the owner of that email address (specifically, that they work at the organisation that the email domain belongs to).
I will send an email post-registration with a single-use link in it that will set their status to verified = 1.
Users can choose to register and log-in using either a simple email/password combination, or by using the Google Sign In service.
My question is: do I need to verify the ones that have registered with Google Sign In? In order to provide their email address to me, they had to sign in with Google, who then confirmed the address. Is there anything I've missed here, or can I immediately consider these users to be the verified owners of these addresses?
If you are using google sign in there is no need to verify the user.
Whereas if have your own login system, then you must verify the email because
if the email is not verified then you cannot have forgotten password feature through email
and also the user might not have actually had the email so anyone else could create the same email and if you have forgotten password through email someone else could easily access others data.
I need to be certain that email addresses returned from the Facebook graph API have been verified by the owner of the email address. The same question was asked here: Is it possible to check if an email is confirmed on Facebook? where the conclusion seems to be: yes, they are verified. However, I cannot find this anywhere in the API documentation. Can someone point me in the direction of official documentation around this?
You'll have to do the verification yourself:
If you use an email address as the unique credential which identifies each account, your app should verify that the email address associated with the person's Facebook account (and obtained during Facebook Login) is valid. You can do this by creating code in your app to send a verification email to the address obtained after Facebook Login (you will probably need to have this step as part of your regular login system anyway).
https://developers.facebook.com/docs/facebook-login/multiple-providers#postfb1
It's in the Graph API User, verified field.
https://developers.facebook.com/docs/graph-api/reference/user
At http://docs.developer.intuit.com/0025_Intuit_Anywhere/0010_Getting_Started/0030_Integrate_your_app/0030_Signing_Into_and_out_of_Intuit_From_Within_Your_App/Sign-in/Implement_SSO_and_OpenID_in_Your_App
it says the following:
"Intuit does not verify the user email address associated with the user's OpenID account. Therefore, do not use the email address for authentication and do not link user accounts based on email address."
What does it mean "do not use the email address for authentication"? I mean, isn't the user already authenticated, through OpenId.
Also it says that the user email address is not verified. But what if my app needs to send an email to a user that has logged through OpenId. How can I be sure the user will actually get the email? What is the recommended pattern to handle that?
Thanks
EDIT: also, can I use the email to uniquely identify a user, and if not, what should I use to uniquely identify a user from the open id response?
EDIT 2: also, is the developer charged when a user logs in with open id and the 36 day trial expires? Or is it just when using the "Connect to quickbooks" that the developer is charged, in which case, open id authentication itself is free?
Clement,
It means when a customer goes to the Intuit Appcenter and creates an account the email is not verified immediately, so you cannot single sign on a user based only on their email address if they already have an account in your system. You need to prompt them to login one time to map the two accounts.
If they are completely new then you can auto provision an account on your side and single sign them in, if you require the customer to verify their email address then you can send them a verification email.
thanks
Jarred
I'm using Register with Facebook as one of the ways to log in to my web app, and expressly ask for the "email" permission..
On login, some of the user data ($facebook->api('/me')) is stored into the users database, however, sometimes the email field just doesn't exist - is this a common problem?
Just a guess...
The facebook documentation says:
note: this field will not be returned if no valid email address is available for the user
Source: https://developers.facebook.com/docs/reference/api/user/
So when an email address become invalid (users who haven't used facebook in years and have destroyed/changed their email address since for example), facebook may stop returning this field.
5% of invalid address may sounds big, but if I check my facebook friends, I think more than 5% of them never use their account, and I wouldn't be surprised if the address they used when they signed in is now invalid.
Users don't always have to provide an email address in order to use Facebook. They can also sign up via SMS, though it's far less common.
In short, FB won't always have an email address, so can't serve it to your app.
Try:
// Just to make sure email are permitted
//$facebook->getLoginUrl(array('req_perms' => 'email'))
// Request email
FB.api('/me?scope=email', function(response) { /*...*/ });
Or:
$email = $facebook->api('user_id?fields=email');
PROBLEMS:
The user changed the visibility of its email address to "only me" and thus you have no way to get it.
The user registered with SMS instead of email as mentioned in the previous answer.
ALTERNATIVE:
If you absolutely need to contact the user but you cannot get its email address nyou can still get its Facebook email (everybody has this email): "user_name#facebook.com".
If the user uses a POP server he will directly receive the email in GMail or others, if not he will receive your email as a private message. The only drawback if this method is that your email must be "plain/text" and not "HTML".
One thing is Users don't always have to provide an email address in order to use Facebook(could have registered through mobile)- as mentioned by Colm. Apart from this-
Please check that if the user has definitely granted you the email extended permission or it hasn't subsequently been revoked. To have a check on this you could use the permissions api-
/USER/permissions
I had similar problem & I found the cause for this. This problem occurs for users who have not set their Primary Email Address (They have many email address but they haven’t pointed out which is their primary email address) under General Account setting tab.
I tried using such accounts on various famous sites which has Facebook login & even they couldn’t retrieve the email address from such accounts.
So, its not the problem with the code(Assuming u have asked for permissions). We just have to handle such scenarios & let users know that we didn’t receive their email address. Like Klout does.
Thanks
In addition to what #Jigar Jain wrote above, users can actually uncheck the email permission during the sign inflow. If that's the case, his/her email address will not be returned by Facebook.
It's up to you to implement a logic that makes login unsuccessful if user unchecks the email permission, to force your users to choose another login method that will guarantee that a return of user's email address.
It is not mandatory for someone to give their email address while signing up with Facebook. An alternate approach would be to ask the user to link their email id in the Facebook account settings. That way you can fetch the email id, if that's a mandatory field in your DB. Otherwise you can continue with the id provided by FB which is unique.
I'm building a website that allows user to connect using Facebook Connect. So far I'm able to log the user in and fetch data about them (name, email, pic, etc.). If I fetch the email (using Users.getInfo) I get a proxied email (apps+blahblah#facebook.com), which is absolutely great. Problem is, that email doesn't work. I've tried sending an email to it and I never received it. There are two reasons I see that could cause this:
I don't have enough permissions. Ok, I can understand that, but if I don't have enough permissions then why are they returning an email at all?
The email has to be somehow sent from the application itself (I've tried sending it from my Gmail account) -- but how would Facebook know that the email is coming from the application?
So which is it? Or is it something else?
I have recently been looking into this as well.
I did find some guidelines on http://www.insidefacebook.com/2010/01/15/facebook-platform-email-sharing-api-proxy-email-service-going-live-in-5-days/
here is the most important part:
Emails you send must clearly indicate that they are from you and must not appear to be from Facebook or anyone else. For example, you must not include Facebook logos or brand assets in your emails, and you must not mention Facebook in the subject line, “from” line, or body header. All emails to users must originate from the same domain, and you must provide us with the name of that domain in the Facebook Developer application used to manage your application.
I have already found that if you do not have the address in the from as #facebookappmail.com
might even have to be appname#facebookappmail.com the emails will bounce. So sending from your gmail will not work, the "blah blah blah" in the proxy contains the application information of the application that had the permissions to get that email.