I would like to process status updates of friends within a server-side application (like a server-side job).
I could create something like a configuration website to connect my application with facebook, let the user login, get the permissions, etc., but this should only be done once by the user. The (session-, access-, auth-, verification-, whatever-) keys or login information could be stored within a database and the server-side application/job could use these information from the database to access the status updates.
The problem is, that the user should only login once, so the user has not to login everyday manually to let the server-side application/job continually working.
Has someone an idea how this could get solved? It is very difficult to find working solutions/ideas for that problem, because Facebook is currently deprecating all these features (REST-API, Facebook-Connect, offline-access-permission, infinite session keys, ...). The Android apps have a similar requirement, but these seem to have the option to solve this problem via the mightly facebook app/integration which has some exceptions... At least all Android apps are working continually with my facebook data and I didn't saw a facebook login page for years. ;-)
Related
Thank you very much for visiting this topic. Currently I'm working on a smaller application that can be installed on facebook pages (not accounts, but separately created pages, like company or fan pages on facebook). I managed to fire up the php SDK for it, even made successful user authentications and played around with access tokens (only user access tokens though).
However my problems arose when I've tried to determine if the current user is an administrator for that facebook page (where the application is installed).
I've done numerous google searches and research into this topic, but sadly I've realised that most tutorials, questions or related topics are all outdated, or they have obsolete solutions.
I kept running into the 'manage-pages' permission when people advised me to go for page access tokens. However in my opinion asking facebook to grant me manage-pages permission, then prompting users to allow me access to everything on their pages during authentication seems a bit far fetched.
I do not want to modify or read their page contents in any way. I simply want a mini admin page for the application that can be opened by only users that are admins of that certain page.
I've seen an edit url that can be added in the settings of the application. However I could not find out what it does, or how can I access it if I add an url there. The related documentation on facebook seems to be out of date.
I would be very grateful if someone can point me in the right direction with this. Basically I'm looking for a method, that does not require me to use the 'manage_pages' permission, but I can still check out if the current user viewing the installed application on the page is an admin or not. (I wonder if facebook supports an other method for this)
Thank you very much for any kind of tips or aid in this matter!
Facebook never gives of fan pages or other pages access.
You have to communicate with facebook page admin and its give a token.
Suppose if you have a permission than it generated token will be you use in your application
how do you do?
1 communicate with admin.
2 Admin generat token from https://developers.facebook.com/tools/explorer
3 go to tools and support than it generated token you use in your application.
Note: "Page of admin can it do to generate token"
I'm running a Classic ASP website, that has its own user authentication and login mechanism. For example, In order to remember a logged-in user, ASP creates an encrypted cookie and a 20-minute session for each connected user. If the 20 minute session is elapsed, the server revives the session from the cookie saved previously, and saves some data regarding the user to the database.
I want to to be able to allow users to connect with their Facebook or Google identity, but the mechanism used by Facebook or Google is based mainly on Javascript and on client-side code.
How Facebook or Google login can be used while maintaining server side code in ASP? (So that the ASP server can still manage the session and save data regarding it, for example whenever a session is revived)
For me somehow it seems that it may become less secure to use client-side authentication as the code may be altered easily. Isn't this the case?
If I use client-side javascript and log in with Facebook, how would I update the user data retrieved from facebook back into my database, for example the user's first and last name?
For me it sounds that it should be a "server-to-server" communication (between my ASP server and Facebook's or Google's servers) and what they propose is a "client-to-server" communication ... Any ideas how this can be done?
Any help or explanation would be very much appreciated! Thanks.
I'll try to address your Facebook-related questions one by one. However, I will not give you an implementation or any ASP-specific feedback, but only a rough approach. Additionally, I recommend that you study Facebook's documentation on Facebook Login extensively to further your understanding of the matter.
1. Facebook documents the server-side OAuth 2.0 flow in their Manually Build a Login Flow guide. Basically you redirect the user to a specific FB URL that (in the parameters) tells FB to render the "Login with Facebook" dialog, and which permission scopes to ask for. Once the user approves the Facebook Login for your webapp, they will be redirected back to your web app, e.g. with an OAuth token in the query string, that your webserver can then exchange for a user access token.
Once you obtained a user access token, you could e.g. store it in your web app user's session.
2. I don't know what you mean. Client side apps are fairly secure. Perhaps you can convince yourself about how secure JS apps are when reading about things like CORS.
3. If you only use JavaScript (e.g. Facebook's JS SDK) and you want to store e.g. app-scoped user IDs on your server, you need to expose an endpoint on your server that your JS application can submit that kind of information to.
4. You state
what they propose is a "client-to-server" communication
Who are "they", and where are the proposing this? The resources I linked to in 1. should explain how you can use Facebook login in a pure server-to-server way.
I'm writing a Windows Phone 7 app and have gotten Facebook login working using the C# sdk, but logging out has proven interesting. I've read this post:
Cannot Logout of Facebook with Facebook C# SDK
which seems to mirror the FB docs which indicate I should navigate to
https://www.facebook.com/logout.php?next=[redirect_uri]&access_token=[token]
However, that doesn't work and silently redirects me back to the facebook home page.
My best guess at the moment is facebook doesn't like the "next" URI I'm providing. I updated my FB app settings but either they haven't propagated yet, or something else is still not working.
I've seen posts recommending using InternetSetOption, but that API is not available on the phone.
In my application flow, logout leads to navigating to a different silverlight page in my app, so I really don't need the browser redirect for my purpose anyway, so I could just "forget" the access token without actually telling FB to invalidate it, but that seems weak and insecure.
So, while I wait longer to see if the app domain changes propagate across FB's servers and solve the problem I have a different question:
Why should the Facebook APIs care whether I provide "next" or not? Shouldn't I just be able to tell them to invalidate a token and have it happen?
Is there a logic piece I'm missing here?
Thanks!
Update: I wrote an open-source Facebook login/logout control for WP7 that allows this (check the example project). It works by essentially using the web browser control to navigate to the logout page and then submit the logout form by injecting javascript into the web browser control. The idea came from this blog post.
The closest thing would be to revoke the extended permissions by issuing an HTTP DELETE to /me/permissions as documented here. Simply forgetting the auth token isn't a bad option either as the access tokens are generally only good for an hour or two unless you asked for offline_access. And if a user is overly concerned, they can remove your application on their settings page on facebook.com.
I'm getting into the grimy guts of a problem that has turned out to be rather cumbersome so I turn to you, the experts, for help.
what I've done so far: I am building an iphone app with phonegap. I am using the provided fbconnect (in phonegap github) code which gives some rather convenient javascript based example code to build things like a comment and check in request. I have comments and checkins fully working how I want, and I have an auth_token that I am successfully toting around.
enter the like button: I understand that you cannot make like requests via xmlhttprequest in the same way that you can with comments for example, so I am stuck using an iframe (unless there is a better alternative).
what I need help with: right now, since the iframe is triggering its own login, I have the situation where the user might log in to like, and then have to log in again to comment which is not a viable. Is there a way to pass a valid auth token to the iframe so the user wont be prompted to log in again or some other sneaky way to authorize through the childbrowser solution that I have currently implemented and then share the auth token to the rest of the app?
notes: I havent passed an app ID to my auth implementation but I noticed that the iframe does pass an app ID. would including an app ID in my auth request somehow link the logins so facebook could recognize that the user is already logged in through the app?
I can't think of any specific code to include since this is more of a general question but if there is anything you'd like to have a look at please let me know.
The short answer is no, mainly for security and spam prevention. The only way to have the user like your page is rendering the iframe code in a webview. This requires a traditional email/password login with Facebook. Using the graph api is the only way to use things like commenting and checkins, and this requires a user to login via a separate mechanism and then subsequently approve your app. There is no back door logging in mechanism.
I've been trying to figure out a way to have my iframe Facebook app (built in PHP) work without requiring separate authentication methods. I am already logged into Facebook, but for some reason I still see all these Oauth notices from the example in the PHP SDK.
The only data I need is publicly available even without them "adding" my app. I am looking to collect their Facebook ID (since this is a contest, we need a unique ID for tracking), their name and (optionally) their email address as well.
The problem is, I cannot use the API to fetch the public information unless I already know their Facebook username. Any ideas on how I might be able to get their logged-in username or public handle so I can then fetch the rest of the information?
For whatever reason, Oauth is driving me completely insane with Facebook today.
Sidenote:
I did manage to technically get the Javascript SDK operational, which fed some information to PHP for use. The only issue there is that once I login, I don't see the data. If I refresh...then it shows up. Unsure why the refresh is required, as I wouldn't expect a user to actually have to hit refresh in order to proceed with the app.
I guess you are a bit confused here, Facebook will NOT share the username, id, full name or email without the user explicitly authorizing/allowing your application (and in the case of the email, requesting the email permission!).
Read the official Canvas Tutorial for more information:
In order to gain access to all the user information available to your
app by default (like the user's Facebook ID), the user must authorize
your app.