I'm working on an iPhone application which requires a user to login to Facebook. However that is only to retrieve a users friendslist, after that I wish to continue communication through my own XMPP server, I would like to automate the account creation to this server.
For this I would need a username, which is pretty straighforward: the facebook user id, however I would also need to create a password based on some sort of private key showing the user has logged in to Facebook. This key should be the same for any device logged in over any amount of time, I've been looking at the Facebook API but could only find an access token, which I believe is different when the user logs in from a different device.
My question: Is there anything available from the Facebook API with these requirements? Any suggestions for alternative solutions would be welcome too.
Thanks!
Edit:
Example:
User uses the app for the first time on his iPhone, logs in with facebook and the app automatically creates an acount on my XMPP server, where the user ID is equal to the facebook ID and the password is something that shows the user has been logged into his facebook account.
Now the user uses the app on his iPad, again logging into his facebook account, however already having an account on my XMPP server the same password must be generated from the data received from facebook.
Step 2 is the part which poses a problem for me, I need data that shows that the user has been logged into his account, and which is the same wherever and whenever he logs in, just so that the same password can be generated every time. I believe that if I use the access_token for this then this will change if the user for example doesn't log in for 60 days and starts using the app again, or maybe even when he logs into a different device?
To clarify: the XMPP server that Facebook offers is not to my needs, I need to be able to send other things besides chat messages and also need to be able to store messages so that new devices which log on can be synced to a proper state.
For Facebook XMPP, I recommend you to use the custom SASL mechanism called X-FACEBOOK-PLATFORM. Basically, the user must first log in to your application and grant the xmpp_login extended permission. Follow the client side flow to get a valid access_token for the user with the xmpp_login extended permission.
You send an base64 encoded string over TLS with the following parmeters:
string method: Should be the same as the method specified by the server.
string api_key: The application key associated with the calling application.
string access_token: The access_token obtained in the above step.
float call_id: The request's sequence number.
string v: This must be set to 1.0 to use this version of the API.
string format: Optional - Ignored.
string cnonce: Optional - Client-selected nonce. Ignored.
string nonce: Should be the same as the nonce specified by the server.
Your appID (api_key) can be use in multiple context and you'll be able to get the user access token for each of the user's devices.
Here is the Chat API doc: https://developers.facebook.com/docs/chat/
Related
I want to enable my users to associate their user account with a Facebook or Twitter and allow them to login on my server with their Facebook/Twitter account instead of using the classic username/password. Basically the same idea as the login in StackOverflow.
My current approach for Facebook:
The client application will perform OAuth and then use their Facebook id to login on my server. Based on this Facebook id, the server will lookup the associated user account and perform login without asking for username/pasword. However just relying on the Facebook id to login is not very safe, as that is the same as using only a username to login instead of username & password.
So to make sure the Facebook id is authentic, the client application will also provide a FBSR (Facebook Signed Request, see: https://developers.facebook.com/docs/facebook-login/using-login-with-games/#checklogin) with the login request.
The server will check two things with this FBSR:
The Facebook id in the request must be the same as the one hidden in the FBSR
Server will recalculate the signature part via the Facebook secret key. This must match with the signature in the FBSR .
Normally the server should perform a check with the Facebook server with the oauth_token to be 100% sure of the users identity. However I need skip this in order to avoid dependency to Facebook server on our server.
I have 2 questions:
1) Is this above approach good enough? Can it be improved (without server-to-server communication)?
2) I want to do the same with a Twitter account, but the their signed request is different then Facebook. It seems the Twitter user id is embedded in the oauth_token, so my approach may work with a little tweak, but I am not sure whether the user id is always part of the oauth_token and cannot get this confirmed after searching the internet.
I think that your approach is good enough and don't see any way to avoid server-to-server communication with a signed request. Bear in mind that, with Facebook Graph Api Version 2, in order to protect the privacy of the user, Facebook will send out not the real user id, but one generated for apps. It will also be possible to enable anonymous login.
I am not sure of what you're trying to do with Twitter, and why you compare the APIs (they're quite different). The Twitter login, also know as Sign in with Twitter, used for any website or mobile app, should work for you too.
In this scenario I have an app in which:
The user is to log in using Facebook Single Sign On (SSO) on a mobile device (iOS in this case).
The returned Facebook credentials are then sent to a NodeJS server (using the same Facebook App Key) and need to be validated as truly being that users Facebook credentials before they are associated to a program based account.
The Problem:
Given access to everything returned by Facebook as the result of authentication, how can this data be used to confirm that authorization with Facebook?
There are two things you can do:
Facebook will generally pass you a signed request which you can check with a basic SHA2 hash. If the hash is correct, you can assume the user was really authenticated using facebook.
Facebook will generally also pass you a (short lived) access token which you can exchange for a longer lived access token using the graph api. Upon this exchange completing you are as sure you can be that the user is who he says he is.
https://graph.facebook.com/me?access_token=TOKENGOESHERE
If a user is returned, and their ID is what the client claims, they are most likely who they say they are.
I am writing a mobile app that uses O-Auth's "connect with Facebook" in order to:
1) Let Facebook deal with the authentication
2) Not force my users to register to another website
3) Get Facebook information
I have implemented Facebook's Server-side-login (in JAVA):
https://developers.facebook.com/docs/howtos/login/server-side-login/
I do not understand how do i maintain the user session once the user have connected-with-facebook.
Here is the flow from end-to-end, please correct me if i'm wrong.
1) The user logs into my server (Android APP using WebView)
2) The server redirect the user to Facebook (with client_id, redirect_url, state and permissions)
3) The user is now facing Facebook's login dialog.
3.1) If the user deny: Facebook calls the redirect_url and notify the server that there was an error. (Flow Ends here)
3.2) If the user accept: Facebook calls the redirect_url (my server) with the state i've set (for CSRF protection) and a code.
4) The server contacts Facebook and send it the app_id, redirect_url, client_secret and code and in return, facebook calls the redirect_url with a valid token. This token allows the server to issue facebook API calls on behalf of the user.
So far everything works great. Now to the main question - Session management.
Now that I got the token, I need to figure out to which user it belongs to, so I can grab data from my database or create a new entry (in case of a new user).
1) What kind of identifier should I use in order to identify the user in my server db? (Do I need to call Facebook API to retrieve basic information and from that extract the email and/or unique id?
2) Once I got this unique ID how do I contact the user again? At step 2 the server Redirected him to Facebook, which means that he opened a new connection to Facebook and he is no longer connected to the server. How do i set him a cookie now that's he's gone? <-- *This part is the most confusing for me.*
3) At what point do i need to set a SESSION ID (cookie) on the user's Request so the next time he contacts me i'll know who it is.
I think that Stack overflow is the best example to illustrate my problem.
I clicked on "Connect with facebook" button, and suddenly i'm a user at Stack overflow without any registration. How does Stack overflow know how to pull the questions that i've already asked? How did it identified me? And at what point in the chain I've described did it set a cookie on my request ?
Thank you for your time
You've come across one of the basic misunderstandings about OAuth: OAuth is all about authorization. A user gives you (the client) the permission to access data on his behalf. If you want to authenticate a user, some providers allow you to access a unique id that allows you to distinguish users. So, yes, if you want to identify a user, you have to request his unique id.
There are multiple ways to do this. All of them are about generating a unique session id that you store before redirecting the user. Once the user comes back, he returns an id to you. If you see, that you issued and stored that id, you delete the id and you know to which user you are talking. You could either store this id in a cookie or hand it over as part of the state parameter.
Anytime before redirecting would be possible. If you want to know which user you are talking to anytime, just do this the first time he calls you.
When using the Javascript API login, it returns to the page with a number of parameters, like the access token, the user ID, and other details. If I wanted to associate a user in my database with this Facebook user, which would be the piece of data I want to store to be able to look it up later for authentication?
In other words, which token should I store, so that next time the user logs in, I can look in the database for this token and authenticate the user?
I would use the UID, but it seems easy to spoof another UID and impersonate someone else.
Thanks!
Client side spoofing is not your concern. If you are displaying FB content based upon FB authentication, then FB is responsible for the integrity of that process.
If you are using this info server side, then you need to follow the OAuth 2.0 flow which is not spoofable (to my knowledge) because you are going directly to FB for authentication.
You can't mix the two flows because you leave yourself vulnerable to attacks.
And to answer your other question, yes, you should link your DB to the UID because the access_token will change.
You can validate the fb access token with the fb js sdk. So you can take the fb-uid as save. The tokens you get from fb are only valid for a limited time, so you shouldn't save them.
UPDATE:
Regarding the saveness of the fb-uid: Your PHP script gets a signed request from facebook. That request is signed with your app's secret so that no one else can read that data. The request contains a fb-session for the current user (including the uid) and an access token.
I have a mysql membership database run by a Perl script. Account creation or login requires an email address and password. The Perl script then sets cookies (password cookie has encrypted value) which allow users to create, own and modify records. A members table contains user information. I've gone through the FacebookConnect information as well as the forum. Maybe I cannot see the forest for the trees, or maybe this is not possible. In order to use FacebookConnect for logins/account creation, I need to be able to send the user email and password to the the Perl script so that the proper cookies are set. If it were an http it would look like this:
http://domain.com/cgi-bin/perlscript.pl?_cgifunction=login&email=ddd#somedomain.com&password=somepassword.
Any hints or advice would be greatly appreciated.
What you are trying to do isn't really possible in the way that you're describing it.
Facebook Connect basically provides you with a single piece of information: whether your visitor is logged in to their Facebook account or not. If they are, you can get their Facebook ID, if not, you can show them a button (or whatever) and ask them to log into Facebook.
Generally a good approach when using Facebook Connect as an authentication method for your site is to have an internal id for the user's member account, and store a user's Facebook ID alongside that. When a user comes to your site, and they are already logged in to Facebook, you just use their Facebook ID to retrieve the local account. Otherwise you show them your login form to log in locally, and/or a Facebook login button.
The problem you're running into here is that you cannot get someone's email address from Facebook, as it is purposely hidden to protect privacy. If your membership scripts provide only the email/password log-in method, then what you need to do is modify these scripts to create the authentication cookie when given a properly authenticated Facebook ID.
Essentially you'll have two login functions... one for a Facebook login, and one for a regular login. Either function should properly created the local authentication cookie.