I need to implement a system to retrieve information from a user of facebook independently of the user being logged into facebook.
I have user access token in my database but every time the user needs to login on facebook.
My question is how the authentication of Hootsuite (hootsuite.com) works because there it is not necessary.Just logging in the Hootsuite is possible to recover all data from facebook.
What you are talking about (If I understand you correctly) is a breech of privacy in the eyes of Facebook. A user has to be interacting with an application in order for it to retrieve information about the user.
Facebook's API access works by means of an access_token that is specific to the user and the application that requested it. access_token's have a limited time frame that they are valid, after that the application would have to request a new one or request an extension on that token. In either case, the user would have to be interacting with the application, and therefore logged into Facebook, when such a request is made.
I'm unfamiliar with the website you referred to but it is not in the scope of this site to reverse engineer some one else's application.
Related
I am using FB js SDK to allow logging in on my platform. A user permits the needed access and I save his ID in my DB. The data is sent to my server via AJAX. Since the login is with FB, I can identify the user only by his ID.
Now, lets say I know someones FB ID and I know he has an account on my platform. In runtime, I can place his ID in the auth request and obtain a legit session of that user. How could that be avoided?
First of all, those are App Scoped IDs, it is very unlikely that someone would know the ID of a user who authorized your App, because it´s not the "real" ID.
That being said, you can (and should) send the User Token to the server and confirm the ID by calling the /me endpoint with that Token. You should also use appsecret_proof for API calls, more information can be found in the docs: https://developers.facebook.com/docs/graph-api/securing-requests
I have created an App on facebook and I am using this app to authorize an user via dotnetopenauth.
Here I would pass APPID and APPSECRET and get the token which would be used to call Facebook Graph to get facebook user details.
If I'm doing this for the first time, user would be asked to enter username/passowrd on the Facebook website and then the session is created in the browser and it will redirect to my website as a Facebook user. This means that if I open a new tab in the current window and open facebook, user will see his/her page directly without asking for username/password. - this is obvious and understandable.
// code
request = WebRequest.Create("https://graph.facebook.com/me?access_token=" + Uri.EscapeDataString(strAccessToken));
response = request.GetResponse();
My query is:
After the scenario above, if user logs out from Facebook website OR I close the browser window, the facebook session is lost. However, I still have the access token (string in the above code) that I got while authenticating.
So, As of this moment I am not storing any user information from Facebook (not even cookies or anything else). I am just requesting user to authorize my application as a Facebook user. When user does that, I get the access token which I can use it to make calls to Graph and REST APIs. This access token usually remains same, so I really dont need to pass the applicaition id and secret to get the token next time onwards. Actually I can request the graph APIs and REST APIs with the stored token and request user details. I have tested this and works fine.
What I am looking for is, if user opens www.facebook.com, user should see his/her personal facebook page which obviosuly is possible only if I have a session in the current browser. Hence, my question was: how do I use my access token OR what call should I make with my access token so that I can set the browser session for the facebook user? Is it possible technically?
Regards,
AG
No. Your access token is used by your web server to call facebook. It's impossible (and undesirable) for this to impact the user's browser in a way that would set a facebook.com cookie so that the user would be implicitly logged into Facebook by your use of the access token.
So there's an app, let's say it's an app that is capable of delivering relevant news based on the user's choice done the first time he runs the app. Is there a way to post the news to the user's wall without having the user to be online and ideally as the app?
So on his/hers timeline it would look like this (edited image, not a real post from some app, it's just so you get what I mean):
When I use $facebook->api('/me', 'post'), it just creates a post as the user, which is not what I want and does not allow me to post when the user is not logged in.
You can use the server side authentication to get a long lived access token (60 days) which you can then use until the token times out. Then you'll need to have the user reengage with your app to get a new token.
You can get the same thing by using the client side authentication and then extending the token on the server side.
Another options which should work for you is to get an app access token (which does not expire) and ask the user for the publish_stream permission, then:
App access tokens can also be used to publish content to Facebook on
behalf of a user who has granted a publishing permission to your
application.
Suppose that I make an app that is using Facebook login (basically for dealing with who is who). Is it possible that the app to fetch the user's history from Foursquare if it get the user's permission? (The user uses Facebook's login on Foursquare as well)
No. You need to go through each authorization flow separately. First, the user grant your application access by going to Facebook and coming back with an access token (or authorization code you later exchange). Then you need to send them over to Foursquare to approve access again. Foursquare might need to authenticate them via Facebook but that's really not your concern (and should be transparent if they have an active Facebook session). Foursquare will issue you another access token for their API.
There are discussions in the community about the use case of allowing your application to pass the Facebook access token to Foursquare so they can validate the user identity with Facebook and then issue you an access token. However, there are many issues with that. By not directly interacting with the user, Foursquare has no way of knowing that the user wants to give one application access to their data stored on another application.
I am using the facebook graph api to integrate some facebook functionality for users into a project i am working on. Its very early stages and I am just getting to grips with the Facebook API but it appears that every time a user logs on to my site they will also have to log into Facebook. On the first time they also have to authenticate my application.
I am a little surprised that they have to actually log into Facebook each time they want to use any Facebook features from inside my app.
Isn't there a way to authenticate once, then I can store a token and this would allow me to access Facebook on their behalf in the future (until they de-authorize) without them having to log into Facebook each and every time?
This just seems very cumbersome.
Request the user for offline_access permissions using the scope argument in the authorization request
http://developers.facebook.com/docs/authentication/#requesting-extended-permissions
You can use the session key returned, save it and use it until it expires (this usually is very long) or until the user revokes access to your application
Here is the full list of extended permissions your application can ask for http://developers.facebook.com/docs/authentication/permissions