I have successfully installed the Facebook registration plugin on my website, but I'm left with some unanswered question.
After a user is authenticated through Facebook, should I just be storing the UID from Facebook in my database to correlate records in my application with the Facebook user?
If I understand correctly, Facebook should send back an "Access Token" what exactly should be done with this? Should each required page in an application be checking this access token some how to verify the user is authenticated instead of calling something like FB.getSession each time you want to validate the user is still logged in?
If a user registers through the Facebook registration without a Facebook Account, and returns is it completely up to me to handle the authentication and storage of the username and password or dose Facebook still interject here?
Where and What is the App Secret used for?
Facebook is said to return a "Signed Request". Is this separate from the data that is returned? Dose each request back from Facebook need to have the Signed request verified?
I have more questions coming, but I'll start with these for now.
Yes.
The oauth_token can be used to make a request to the API once they give permission to your app.
I haven't used this tool to save passwords but the registration flow can be found here
The signed_request parameter is signed using your application secret which is only known by you and Facebook to make sure that the data you're receiving is the actual data sent by Facebook.
The data Facebook returns is the signed_request and it is an encoded JSON string. You can't decode it without your app secret. You verify return data by decoding the signed_request.
Related
I had made a Facebook APP for authorization of users on my Website, I am using OAuth Method. In My Site i have kept a Feature called "Login in With Facebook", when user clicks he gets redirected to Facebook with link
https://www.facebook.com/v2.2/dialog/oauth?client_id=<ID>&redirect_uri=<mysite>&state=<some random hash>&scope=
This looks fine enough, Now Facebook asks for Allow and when Users clicks allow, I get a URL Back on my site with a Special parameter called &code= .. It looks like
http://mywebsite.com/facebook&code=<some huge Random code>&state=<hash>
Now, i would like to know what exactly is code= parameter value says, is it the access Token of the User because i don't see special parameters like access_token=. So can somebody tell me what is code means in OAuth and is it same as Access token. ?? How can i verify it.. Please input your thoughts
Your app needs to exchange that code server-side for an access_token
There's specific documentation for this flow but essentially you take the code, your app ID, app secret, and the redirect_uri you used when opening the dialog initially, and make an API call to exchange the code for an access token
You then use the access token to make API calls on behalf of the user
In this scenario I have an app in which:
The user is to log in using Facebook Single Sign On (SSO) on a mobile device (iOS in this case).
The returned Facebook credentials are then sent to a NodeJS server (using the same Facebook App Key) and need to be validated as truly being that users Facebook credentials before they are associated to a program based account.
The Problem:
Given access to everything returned by Facebook as the result of authentication, how can this data be used to confirm that authorization with Facebook?
There are two things you can do:
Facebook will generally pass you a signed request which you can check with a basic SHA2 hash. If the hash is correct, you can assume the user was really authenticated using facebook.
Facebook will generally also pass you a (short lived) access token which you can exchange for a longer lived access token using the graph api. Upon this exchange completing you are as sure you can be that the user is who he says he is.
https://graph.facebook.com/me?access_token=TOKENGOESHERE
If a user is returned, and their ID is what the client claims, they are most likely who they say they are.
I am bit stuck with facebook authentication in my wp7 app.
What I have right now:
login page with WebBrowser control
I can get access_token from facebook
Save it to phone IsolatedStorage
What I want to do is to skip login page if the user is already authenticated, but I don't really understand the flow, what condition should I check.
On server side I have REST api, when user is authenticated I get his personal information from facebook and call my api to store this information in the database + access_token. Then I used it with all requests to secure my api. Is it good approach?
You don't really check a condition. You try to do whatever it is you want to do with the access token (post status, upload picture, or whatever) and then, if you get an oauth exception, you go and bring up the browser again to get a new access token (browser will just flash - it won't require any user input unless they actually changed their password or something)
I am building a social gaming platform which will be played with mobiles. I am confused about the login part and access token. Let me briefly explain my problem.
Problem: User logs in with facebook login and I retrieve the accessToken of the user. Then immediately after login I store this accessToken in my database. The user continues with the game. Then in some point when I want to post something to the users wall the mobile side calls a WebService and my part (C#) uses the access token stored in the DB and posts something to the wall. Until here everything is OK. But what happens when the access Token expires or the user changes his password. Then I have to re-get the accessToken and update the DB.
BUT how do I get notified when the accessToken changes? I have to get notified or I will have a expired token and won't be able to post something.
Thanks
You won't get notified when a token expires, but Facebook give you the expiry time in your response, which you should store.
According to the OAuth spec, you will receive an HTTP 401 Unauthorized if you try to use an invalid/expired token, as well as the following:
Invalid Consumer Key
Invalid signature
Invalid / used nonce
When using the Javascript API login, it returns to the page with a number of parameters, like the access token, the user ID, and other details. If I wanted to associate a user in my database with this Facebook user, which would be the piece of data I want to store to be able to look it up later for authentication?
In other words, which token should I store, so that next time the user logs in, I can look in the database for this token and authenticate the user?
I would use the UID, but it seems easy to spoof another UID and impersonate someone else.
Thanks!
Client side spoofing is not your concern. If you are displaying FB content based upon FB authentication, then FB is responsible for the integrity of that process.
If you are using this info server side, then you need to follow the OAuth 2.0 flow which is not spoofable (to my knowledge) because you are going directly to FB for authentication.
You can't mix the two flows because you leave yourself vulnerable to attacks.
And to answer your other question, yes, you should link your DB to the UID because the access_token will change.
You can validate the fb access token with the fb js sdk. So you can take the fb-uid as save. The tokens you get from fb are only valid for a limited time, so you shouldn't save them.
UPDATE:
Regarding the saveness of the fb-uid: Your PHP script gets a signed request from facebook. That request is signed with your app's secret so that no one else can read that data. The request contains a fb-session for the current user (including the uid) and an access token.