I use the Twitter Anywhere API and OAuth to authenticate users on my website. The cookie with the accessToken expires after two hours, which is why the user needs to login and connect to Twitter regularly. The workaround would probably be to store the auth_token in a cookie and provide it the next time the user loads the page after the cookie set by twitter expired.
Now something that is not clear to me: I'm also providing Facebook as an authentification method and somehow it doesn't forget the login. The Facebook JS API doesn't store any cookies on my page, so how does it know that the user is authenticated with Facebook and my application?
are you talking about this? see the channel file portion.
EDIT: Above link has been changed. And, facebook api has changed too.
The Facebook JS API doesn't store any cookies on my page, so how does it know that the user is authenticated with Facebook and my application?
It makes a cross-domain request to facebook.com, to see if there are cookies under that domain that indicate there is a user currently logged into Facebook in some other browser window/tab.
Once it has figured out that a) there is a logged in user and b) this user has used your app before – it logs him in to your app on the fly and gives you a fresh (short-lived) user access token to work with.
Related
I want to play around with pynder but in order to do so, I need a facebook access token.
I've googled around, and made a facebook developer profile. I have an app Id and app secret. How can I go about getting what I need to create a session in pynder?
Facebook is using OAUTH2. Basicly you have to redirect the user to facebook. He authorizes your app. Facebook redirects back to your site with a &code= Parameter.
You call an facebook endpoint an exchange the code to an access_token.
https://developers.facebook.com/docs/facebook-login/access-tokens
You can grab an access token out of https://developers.facebook.com/tools/explorer/
You should be able to change to your app and generate a token.
I have created an App on facebook and I am using this app to authorize an user via dotnetopenauth.
Here I would pass APPID and APPSECRET and get the token which would be used to call Facebook Graph to get facebook user details.
If I'm doing this for the first time, user would be asked to enter username/passowrd on the Facebook website and then the session is created in the browser and it will redirect to my website as a Facebook user. This means that if I open a new tab in the current window and open facebook, user will see his/her page directly without asking for username/password. - this is obvious and understandable.
// code
request = WebRequest.Create("https://graph.facebook.com/me?access_token=" + Uri.EscapeDataString(strAccessToken));
response = request.GetResponse();
My query is:
After the scenario above, if user logs out from Facebook website OR I close the browser window, the facebook session is lost. However, I still have the access token (string in the above code) that I got while authenticating.
So, As of this moment I am not storing any user information from Facebook (not even cookies or anything else). I am just requesting user to authorize my application as a Facebook user. When user does that, I get the access token which I can use it to make calls to Graph and REST APIs. This access token usually remains same, so I really dont need to pass the applicaition id and secret to get the token next time onwards. Actually I can request the graph APIs and REST APIs with the stored token and request user details. I have tested this and works fine.
What I am looking for is, if user opens www.facebook.com, user should see his/her personal facebook page which obviosuly is possible only if I have a session in the current browser. Hence, my question was: how do I use my access token OR what call should I make with my access token so that I can set the browser session for the facebook user? Is it possible technically?
Regards,
AG
No. Your access token is used by your web server to call facebook. It's impossible (and undesirable) for this to impact the user's browser in a way that would set a facebook.com cookie so that the user would be implicitly logged into Facebook by your use of the access token.
I am confused as to what does the facebook logoutUrl does in the facebook integration?
Does it destroy the current session?
Would session_destroy do the same thing?
Thanks!
When we are integrating facebook, on success of the login of a user, we need to create login session by using the user details provided from facebook and the logout is actually our application logout, not the facebook logout.
According to Facebook Doc:
This method returns a URL that, when clicked by the user, will log
them out of their Facebook session and then redirect them back to your
application.
It will also invalidate the user access token so that you will no longer be able to call any graph APIs against that user.
when we loggin, we get access token , after we logout , access token also get destroyed.
so we have to logout to maintain session management in our application.
The instructions on using Single Sign-On (SSO) with the Facebook IOS SDK are to save the access token and expiration date in fbDidLogin and use them on subsequent calls to avoid unnecessary logins.
But what if the user logs out of Facebook outside the app (e.g. in the Facebook app or in Safari)? The app doesn't know about this, so it tries to use the saved token and expiration date, and to my surprise - they are still valid and the app can access the user's data even though the user has logged out.
Any way around this?
no, there is no way to do this. each FB login a user makes is specific to the client they logged in with. A FB login is not universal across all clients. The FB token you get from the SDK is a token for that user with your app. So if a user logs out of FB in their browser or another app, they have not logged of FB from your app so the token will remain valid until it expires or the app or user explicitly logs out from the context of your app.
Not sure why you are concerned about this. Generally you would want your users to remain logged in. If you have a reason you don't want this don't request "offline_access" permission when you authorize a FB user and you can also logout and de-authorize the user via the FB API based on whatever criteria you deem appropriate.
We're hoping to create mobile phone applications for (among other features) posting video to a user's FaceBook page. However, using their API, it looks like we would need to open a web viewer and have the user enter their login credentials every time the application is used. We would prefer to store these credentials so the user only has to login once.
We could of course save the http login post and resend it as needed, but this breaks if FaceBook changes their API and I worry about their terms of service and using an unofficial hack such as this.
Maybe someone knows of another application that uses Facebook this way?
You should have been returned an oAuth token to use.
The new Facebook API has a service you can call with the old tokens and it returns you a new oAuth token.
You just have to add offline_access to your permissions. You do this by adding &scope=offline_permissions at the end of your authorization url. Then your oAuth token won't expire.