Facebook is blocked by my company firewall but I want to develop an app where in employees can click a link we send it to their email and provide access to their facebook account and update. Firewall blocks facebook.com so I cannot have users type their username and password on facebook.com url. Can I have users type in their username and passowrd on internal website using which the app will login and get access?
it goes against the purpose of oauth to take the user's password and use it to log in as that user. oauth is designed so that the user will never have to disclose their password to your app but still be able to provide your app with some of their own facebook data. this way, only the facebook data which the user chooses to share will be available to your app. also the user may choose to allow your app to publish on their behalf, see here for the details.
my suggestion would be to get the users to authenticate your app from outside the work network (where the facbook.com url is available). this way you can still post on their behalf and your app can get certain information from their profile to relay on to them without you ever needing to know their password.
Related
My application allows for user authentication via Facebook. I am calling FB Graph API to get details on a logged in user like so...
https://graph.facebook.com/<fbUserId>
But sometimes I see that email address is not one of the fields which is returned. I think this is because when the user was prompted to allow my app access to their public profile and email address, the user chose not to provide their email address. However my application needs email addresses. Is there any way I can tell FB through the Graph API to make that "Edit the info you provide" dialog to reappear so the user can subsequently choose to give their email address?
I think you're asking about how to re-prompt users who denied a permission, so that they're asked to grant the already-declined permission?
If so, you can check which permissions were granted and then re-prompt for those which were previously declined - as you noted, users aren't prompted multiple times to accept a permission if they've already declined it
To re-request, use auth_type: rerequest in your call to FB.Login() (javascript) or your call to the Login dialog; I believe the mobile SDKs handle this automatically (e.g. FBSDKLoginManager in the IOS SDK)
Note that with your specific example, it's possible a user won't have an email address accessible via the API even if they do grant you the email permission, as they may have an unreachable address, be a user without a confirmed address, have signed up to Facebook using a mobile phone number, etc
As a result, you may need to build a UI for users to manually supply their email address anyway, if that info is truly necessary for your app
I and a friend are developing an app and would like to use Facebook as a way of users having their own accounts without us having to ask them to store passwords or make users for security and ease of use.
Passport.js has a facebook plugin but it talks about a redirect URL so my question is: is it actually possible to just send information like email address and password to facebook for authorisation and return the users profile without actually redirecting the user to a facebook login page.
I don't see how i could redirect the user to a facebook login while inside my app and also what on earth would i put as the callback URL? Am i just trying to use passport-facebook in the wrong way?
is it actually possible to just send information like email address and password to facebook for authorisation
No. Users are strongly discouraged from giving this information to any 3rd party app, and you are not allowed to ask users for them.
Login with username/email and password happens on Facebook, not in your app. You will get feedback from the login endpoint then that they logged in successfully.
I can connect to facebook and check on my users and link their account with their facebook profile. But I a question about logic.
When the user comes back to my site, and then want to login again (using facebook), do they have to also be logged in to facebook at that point?
I am using the PHP SDK
If they are logged in before they get to your site, the users will directly see contents allowed to authenticated users. The identification information can be stored by the client's browser (cookies, cache, session...) for automatic log in.
Whenever a user is connected through fb services within a session, his credentials are the same on all websites using fb services within this session.
Hope it helps.
I have a website where users can log in with the Facebook oAuth API.
Once the user logs in or registers via Facebook it is stored in my database.
But what I'd like to achieve is, once the user goes to his Facebook application settings page and removes my website app permissions, the used should also be deleted from my database.
Is there any work around to this problem, if this is not possible via the Facebook oAuth API?
You can add Deauthorise Callback URL by Navigating to Settings > Advanced section of your application. Whenever a User Deauthorises your Facebook app, Facebook performs a HTTP POST of signed request to your URL. You may use the field user_id to determine which User has deauthorised your app.
Actually, I would do the following:
Add a date to his last log in to your site.
Have cron job check for old, unused accounts.
Send an email to the user's email address (or Facebook message mail) telling him his account is due to expire soon.
Delete account from database.
Can we customize facebook login/authentication page?
I want to use my own customized pop up for receiving 'Email' and 'Password' input from user so that it is consistent with the GUI of my application. Is there a facebook API to which I can pass the Email/Password details received from user?
Looking at https://developers.facebook.com/docs/reference/api/user/#permissions you cannot "create" new permissions. This has to go through Facebook so they know what permissions have been granted. This ensures that you're not just granting permissions on behalf of a user without them having actively granted them. This therefore stands to reason that you cannot style their page.
Alternatively, you could just make sure users register via an account on your site (You want a password so I assume you don't mean their facebook password) and then ask them to connect their facebook account to it. You would need to ask for their email in your form, get them to login, then connect via facebook and associate their facebook id with their account on your site.