I have a website which allows login via facebook functionality and displays photos from facebook.
While accessing from a mobile browser I would like the website to automatically login(when the click on FB login button, without entering username and password) if the user is already logged in via the native FB application (iOS or andriod). It seems to be that I can do that by building a native iOS or android application and use facebook single sign on feature. Is it possible to do that without having the user install anything on their mobile device?
That is not possible.
Auto-Login relies on auth tokens that will be granted to a website or mobile app after a user approves an app. For security reasons, those tokens are tight to the cause they were issued for. Particularly, web tokens and mobile tokens are not interchangeable.
So you could build a native mobile app to get a "native token", but even if you would manage to (cookie-)inject it into a browser view, your website's backend couldn't use it.
More generally, you're raising an issue even facebook can't solve: Say you are using a facebook mobile app and logged in there. If you open facebook's web version on that very same phone, you'll have to log in there again. The root cause is the same as with above. Specifically, any native app is uncapable of setting arbitrary auth cookies into the OS browser. I personally believe this restriction will not fall, because it would have a large security impact - just imagine how any app could set (and possibly get) cookies for any website.
If they've never logged in facebook from their Mobile, how will your website ever know them ?
Is it possible to do that without having the user install anything on their mobile device?
Like PC's, users in a mobile device need to login in their phone in facebook's website before being eligible to login "automatically" to your website. When I say automatically, I mean they still have to go with the first time process of "Do you authorize this app/website to do X things on your account". That message is inevitable when using facebook's api on the web.
Hope this answers your question.
Is it possible to do that without having the user install anything on
their mobile device?
No this would not be possible. You need to have a native or hybrid app (phonegapped etc) to make it work. Mobile web apps run in a browser sandbox and without native code interface - you cannot get to the native SSO of FB on your mobile device
Did you have a look at this facebook page ? I'm not sure what you ask is possible, as basav said, but maybe you'll have some clues there.
Related
Is there a way to use mobile apps Facebook (Apple, Android, etc ...) to automatically authenticate users who wish to use social access for the Captive Guest-Wifi portal or similar services?
I worked with the standard social login authentication module of the standard captive portal which intercepts the first call of the operating system (Captive Portal Assistant) or the standard browser (Chrome, Safari, FF, etc ...), but this means that a user must know his credentials.
It could be easier to use the App where the customer is already logged in...
thanks!
I need to authenticate the facebook user not to only open Facebook App.
To do it, check this link - Facebook Login for Android out. It would help you.
Also, in this question - Making facebook login work with an Android Webview there is a method to create a Facebook login button with their javascript API.
The problem that you may face is "Android captive portal's splash page limitation". The splash page has a lot of limitations on js codes.
After that, if you faced this kind of problem, create a redirect page for the splash page and on the redirected page, you can do anything you want as a normal web page.
Using a web browser e.g. Chrome on Android, if a mobile website requires a user to be logged in to Facebook and they are not, the browser will ask for Login details even though the phone may be logged in to Facebook via the Facebook native App. Is there any way to get details from the Facebook App without the user having to log in again?
If you want to login in website in a browser, using Facebook account from Facebook app - it is impossible, without intermediary application, or service. And even with it, I don't think, that you can get user login data.
Other approach - is try to launch Facebook app from your site, and show site from it, but again, you can't login to it, using app.
Why? Because the app, holds only token data, and nothing more. You can't get other information, like password, or email. Also, the work of browser, that save cookies and the app, that save token is different. You can't connect them together.
Clearly speaking it is not possible using website in browser.
Even it is also not possible if you develop any android app, the reason is that the facebook app will not share any data to any other app (even if it is running on the same device).
I also don't think that launching the facebook app from browser will be feasible for you, as you just want to use the facebook login system and then want the users back on your website (and again facebokk will not send any data to your web or app even if it is launched from your web or app).
I think it's not possible, because we wont link browser and an app.
I developed one android app with facebook login integration.If facebook native app already logged in, now i click my app facebook login button it directly redirect my app to my home page without asking fb username and password.
For me i used localStorage in javascript
localStorage.setItem("userName", userName);
localStorage.setItem("password", password);
var uname=localStorage.getItem('userName');
var pass=localStorage.getItem('password');
I noticed that the Windows desktop Spotify application asks me for my facebook username and password in the login screen. I am wondering what happens behind the scenes.
When I change my fb password in my browser I have to use the new password in the Spotify desktop app login screen. There are even situations when the Spotify desktop application shows me a fb popup where I have to grant permissions for Spotify itself.
I know that Spotify uses an embedded Chromium browser engine to do all the heavy lifting. But isn't it against Facebooks TOS to do it that way?
I mean, does Spotify posts my username and password to the facebook login.php and intercepts the result page to get my cookie? Is there a documented way to handle a login to facebook on behalf of the user in a proper way?
No, they are using an old and deprecated REST API method called auth.login:
https://developers.facebook.com/docs/reference/rest/auth.login/
Obviously I can't stop you using this in your own app, but given how old that API is and how fully REST API is now deprecated, it'd be a bad idea to rely upon it.
Instead, for Windows desktop apps, I believe Microsoft offers a Facebook C# SDK which will contain ideal methods for authentication. I'm more familiar with their newer methods that are offered for Metro Apps called Web Authentication Broker.
These pretty much just load a web frame inside the app, get the user to login to Facebook, then show the Permission Dialog (if required). From there, the app can store the UID of the user and presumably a long-lived access_token that they received upon auth. This way, they only need to ask the user to login again once every 60 days.
There are other device-based authentication methods offered by Facebook, but most are still in private testing, the only one that is currently recommend for desktop apps is stated on this page under the heading Windows, OS X and Linux native apps (at the bottom of the page).
Update December 2013: Because the Facebook Login docs have changed significantly since I wrote this answer, I'd like to point out a couple of new additions:
Manually Building a Login Flow details the steps that desktop apps can take to login users. What is new here is that Windows 8 apps can now use their deep-linking ID in the redirect_uri of the Login dialog, meaning it'll multitask back to their app from a Login Dialog when completed or cancelled. This is an improvement from the previous WebView setup, because a User's default browser will likely have them logged into Facebook already.
Login for Windows Phone is the special guide for Windows Phone 8 apps to use.
I have an app that can be accessed on mobile phones, both iOS and Android. The app has a social component to it, so people are sending data to and from my server.
I also have an interface for this app that will be accessible through Facebook.
When logging into the app via mobile device, using the native app for that device, one can just log in with standard username and password.
However, obviously if a user accesses the app in Facebook, they will expect to already be logged in since they are already logged into Facebook.
So I need to make it so that my app can take a log in from Facebook, pretty much automatically (?) for users who are coming at it from within Facebook.
Further, it's possible (dare I say "likely"?) a user might access the interface from both Facebook and one of the mobile versions of the app. In which case I need to be able to ensure that the username/password authentication they use on the device points to the same account associated with their Facebook login.
So... all that said... what kind of Facebook authentication should I be studying and implementing.? I'm looking at their documentation right now, and like all documentation, it's not easy to grasp. There is server-side (authentication code flow?) and client-side (implicit flow?), and authentication tokens, and I'm already a bit lost.
Also, I assume Facebook's approach is to want to take over my login in process completely, not live side by side with my mobile-device-only login, but I'd like to make sure users have the option of not using Facebook authentication if they don't want.
Can someone point me in the right direction for how to do this? Basically let me know which part of the documentation I should be focusing on.
And are there any gotchas I should watch out for?
Your server will receive a signed request when your app on facebook.com is loaded; from this you can find the FB uid of the user.
If you obtain the FB uid for users of your mobile device clients you'll be able to match your app's accounts between mobile device & facebook.com clients.
The bottom of the main authentication docs page gives links to further documentation for different client types. The main mobile authentication page has side-bar links to tutorials & SDKs for iOS & Android. Alternatively you could use the server-side OAuth flow as your devices have browsers that support this.
Once you've completed authentication on the mobile device it's simple to obtain the uid.
You can also use the Facebook authentication flow instead of your own username/password authentication.
I'm building an iPhone app that has some social features. I've managed to get the user to log-in to Facebook within my application.
I've also implemented a webview that loads a facebook iPhone-optimized page. What I now want to do is my user to be logged-in within the webview without having to log-in twice (once in the app and once in the webview)
I've tried a few things playing around with the access_token in the URL but it didn't work.
Does anyone know if it is possible to implement that and how to do it?
Thanks in advance for your help
Short answer: You're probably not supposed to be able to do that.
The idea is that your app should only store an authentication token that lets you do stuff as your app (e.g. post to the wall as your app). On the web version, the user is logged in to facebook and facebook additionally passes an authentication token to your website; on the iOS version, I think you never get the Facebook session cookie, and I'm pretty sure you need the Facebook session cookie to be logged in to the web side of things (especially since it's designed for the browser — logging out of Facebook logs you out of Facebook Connect on all sites).
There are loads of things you can do to work around this — it's trivial to just ask the user for a username/password (and the whole idea of a "trusted UI" inside a UIWebView inside your app is flawed, despite Facebook's claims).
The "right" thing to do is to implement everything using calls to the iOS SDK so you don't have to bother with the web side of things.
were you testing your app on the simulator or on the device? The reason i ask is because im trying to get the app to stayed logged into fb which it does, sorta...it still pops a fb dialog saying it logged in fine and the user has to click on an OK button.
I havent had time to test it on the device but i think it may have to do with the fact that with the OAuth 2.0, with 3.2.x or >...if the fb is installed, it uses the fb-app login but if its not installed it uses the safari web login.
Since simulator doesnt have the fb app installed, it actually uses the safari web login (i humbly deduced) which would otherwise store a cookie and maybe it doesnt do so on the simulator..dunno, im still looking for the answer on that one :)