I am building a small app that uses Facebook and Twitter credentials to login/register to use it.
I was wondering if once the user has completed registration if there are any known strategies to merge the accounts together if the user were to decide to do so.
One idea is to confirm matching oauth id's-
Meaning, if the user were to sign in Facebook one go-around, and later login with Twitter-- providing that the oauth id's are matching- Boom!- accounts now merged.
Is this an acceptable practice?
The answer is...drum roll please........
No.
Related
I wish to implement an Instagram feed reader for my website. A reader that will show my Instagram feed in a unique interactive manner without asking the user to login to Instagram. Is there a way for me to do this reliably using Instagram APIs or their new Instagram Business APIs?
Current options and their caveats:
1. The Instagram v1 API found here (https://www.instagram.com/developer/)
requires user to authenticate. There is no way for an application to use grant_type=client_credentials to acquire a token and make API calls.
The tokens generated don't seem to expire but a note says they may expire any time, making a solution that uses a manually generated token unreliable.
https://www.instagram.com/developer/authentication/
2. Instagram Business accounts API found here (https://developers.facebook.com/docs/instagram-api/)
requires an Instagram business account, and at the same time the queries to media endpoint seem to require User Access Token, which again requires a user to login for generation/renewal of token. (https://developers.facebook.com/docs/instagram-api/reference/media/)
I'm aware of endpoints like https://www.instagram.com/{username}/media/, but this is undocumented and can disappear any moment.
I will highly appreciate any help, or recommendation to implement such a feed that does not require a user to generate authentication tokens.
as it is said in Instagram API doc:
In your application, you should have each user go through an authentication and authorization flow in order to receive a valid access_token.
so I can see just too ways:
use '/media' end-point until it is blocked (i believe it is relatively reliable, because anything can disappear one day, not just undocumented things)
authenticate yourself on instagram, and use your own access_token for API requests, as it is done in several popular tools for getting instagram recent posts
Recently I've been doing some research into OAuth and OpenID/OpenId Connect and it's all just left me confused as to what is best to use and what is safe.
Originally I thought you could just use OAuth2.0 to log a user in (using their ID as a way of remembering the user) but then I found out that due to how the spec of OAuth 2 works, hijacking tokens would allow a malicious user to impersonate another person. Which is why it's stated that you shouldn't use OAuth 2 as authorization.
But then I have been reading that providers as such as google and facebook have decided to go away a little from the standard and ensure that such attacks are not possible. So my question, what OAuth providers are safe to use to gather a users ID to be used to log them into my service.
Also, facebook is offering another service called facebook login. From what I can tell it's OAuth but without the impersonation issue (obviously) AND the app creator cannot do other OAuth features as such as posting on behalf of the user without getting their app reviewed by facebook. Why would I use facebook login over OAuth which gives me all those permissions without review?
Thanks a heap everone
I want to enable my users to associate their user account with a Facebook or Twitter and allow them to login on my server with their Facebook/Twitter account instead of using the classic username/password. Basically the same idea as the login in StackOverflow.
My current approach for Facebook:
The client application will perform OAuth and then use their Facebook id to login on my server. Based on this Facebook id, the server will lookup the associated user account and perform login without asking for username/pasword. However just relying on the Facebook id to login is not very safe, as that is the same as using only a username to login instead of username & password.
So to make sure the Facebook id is authentic, the client application will also provide a FBSR (Facebook Signed Request, see: https://developers.facebook.com/docs/facebook-login/using-login-with-games/#checklogin) with the login request.
The server will check two things with this FBSR:
The Facebook id in the request must be the same as the one hidden in the FBSR
Server will recalculate the signature part via the Facebook secret key. This must match with the signature in the FBSR .
Normally the server should perform a check with the Facebook server with the oauth_token to be 100% sure of the users identity. However I need skip this in order to avoid dependency to Facebook server on our server.
I have 2 questions:
1) Is this above approach good enough? Can it be improved (without server-to-server communication)?
2) I want to do the same with a Twitter account, but the their signed request is different then Facebook. It seems the Twitter user id is embedded in the oauth_token, so my approach may work with a little tweak, but I am not sure whether the user id is always part of the oauth_token and cannot get this confirmed after searching the internet.
I think that your approach is good enough and don't see any way to avoid server-to-server communication with a signed request. Bear in mind that, with Facebook Graph Api Version 2, in order to protect the privacy of the user, Facebook will send out not the real user id, but one generated for apps. It will also be possible to enable anonymous login.
I am not sure of what you're trying to do with Twitter, and why you compare the APIs (they're quite different). The Twitter login, also know as Sign in with Twitter, used for any website or mobile app, should work for you too.
I'm creating a site that allows users to register/link Facebook/Twitter/Google etc to their accounts.
When authorizing via OpenID and OAuth/OAuth2, what tokens do I need to preserve so that I can make sure the app can update their Facebook status / Twitter wall?
Well all you need to take care of preserving the access_token in all cases.This token is basically last part of any handshaking mechanism and with the help of this you will able to communicate with the Open-ID/OAuth party.
If you have a web application that will allow the users to opt-in to sharing their activity on Facebook and Twitter I'm wondering what is the right way to architect that social authentication into your application (and what is inline with Facebook and Twitter policies) so that you can tweet and post on your wall.
Do you store the users username and password in your database?
And then call the social APIs with these credentials. From what I have learned so far both these APIs make you do an OAuth redirect thing. Is their a way to do that without the dialog interaction since you now have stored the username and password anyways.
Not sure if this is an issue, but do you have to do two OAuth handshakes one right after the next to post to Facebook and then Twitter for those users that want to share on both.
And would you have to do this each and every time the user shares something?
I just launched TweetDeck and I wasn't required to get redirected through some exchange with Twitter. Confused.
Just need some help and guidance with "how most people do it" for web-based applications.
The less prompting and less redirects the better.
I don't think storing the username and password would be a good way to go since I think most users would object to you keeping thiere usernames and passwords on file. I have not done any work with Twitter, but on Facebook you need to create an App and then ask the user to grant your app rights. These rights require the user to be loged in to Facebook in order to work, unless you request the offline_access permmission. From my experience, the fewer permmissions you request, the more users will be willing to grant you these permmissions. My approach is to always request the minimal permmissions I need to get the App to work. After granting your App permmissions, you need to get an OAuth token each time you want to interact with the user's Facebook account. (These tokens are good for about 60 minutes, as far as I remember) Storing these tokens will not help, since they expire. Hope this points you in the right direction.