What kind of Facebook authentication should I be implementing? - facebook

I have an app that can be accessed on mobile phones, both iOS and Android. The app has a social component to it, so people are sending data to and from my server.
I also have an interface for this app that will be accessible through Facebook.
When logging into the app via mobile device, using the native app for that device, one can just log in with standard username and password.
However, obviously if a user accesses the app in Facebook, they will expect to already be logged in since they are already logged into Facebook.
So I need to make it so that my app can take a log in from Facebook, pretty much automatically (?) for users who are coming at it from within Facebook.
Further, it's possible (dare I say "likely"?) a user might access the interface from both Facebook and one of the mobile versions of the app. In which case I need to be able to ensure that the username/password authentication they use on the device points to the same account associated with their Facebook login.
So... all that said... what kind of Facebook authentication should I be studying and implementing.? I'm looking at their documentation right now, and like all documentation, it's not easy to grasp. There is server-side (authentication code flow?) and client-side (implicit flow?), and authentication tokens, and I'm already a bit lost.
Also, I assume Facebook's approach is to want to take over my login in process completely, not live side by side with my mobile-device-only login, but I'd like to make sure users have the option of not using Facebook authentication if they don't want.
Can someone point me in the right direction for how to do this? Basically let me know which part of the documentation I should be focusing on.
And are there any gotchas I should watch out for?

Your server will receive a signed request when your app on facebook.com is loaded; from this you can find the FB uid of the user.
If you obtain the FB uid for users of your mobile device clients you'll be able to match your app's accounts between mobile device & facebook.com clients.
The bottom of the main authentication docs page gives links to further documentation for different client types. The main mobile authentication page has side-bar links to tutorials & SDKs for iOS & Android. Alternatively you could use the server-side OAuth flow as your devices have browsers that support this.
Once you've completed authentication on the mobile device it's simple to obtain the uid.
You can also use the Facebook authentication flow instead of your own username/password authentication.

Related

Manually built OAuth login flow, which platform to specify in the Facebook App details

I want to provide the ability for my users to log-in to my app using OAuth providers like Google, Facebook, etc. For those purposes, I've built a unified OAuth login system that involves my server, based on instructions like this: Manually Build a Login Flow. From my users' accounts, I need only default permissions plus e-mail, with those permissions I've publish my Facebook app, and review was not required.
Today I've received a message from Facebook where I was asked to specify my Facebook app platforms, and this is where the problems begin. All provided but Facebook platform templates are not quite suitable for me:
currently, I'm using my system on the mobile app, but it is pointless to specify my package ID or provide some hashes because the app is not using Facebook SDK and those data will never be, received by Facebook
also, it is not correct to give the Facebook just my website URL it doesn't use Facebook login buttons or so, for log-in process communicates only mobile app and back-end
So, here my question.
Which platform I need to specify in my Facebook App if I've used instruction Manually Build a Login Flow to build my log-in flow.
Any ideas? May be someone have experience with this?
P.S. my app built on Flutter.

Facebook native mobile application and mobile browser sharing session

I have a website which allows login via facebook functionality and displays photos from facebook.
While accessing from a mobile browser I would like the website to automatically login(when the click on FB login button, without entering username and password) if the user is already logged in via the native FB application (iOS or andriod). It seems to be that I can do that by building a native iOS or android application and use facebook single sign on feature. Is it possible to do that without having the user install anything on their mobile device?
That is not possible.
Auto-Login relies on auth tokens that will be granted to a website or mobile app after a user approves an app. For security reasons, those tokens are tight to the cause they were issued for. Particularly, web tokens and mobile tokens are not interchangeable.
So you could build a native mobile app to get a "native token", but even if you would manage to (cookie-)inject it into a browser view, your website's backend couldn't use it.
More generally, you're raising an issue even facebook can't solve: Say you are using a facebook mobile app and logged in there. If you open facebook's web version on that very same phone, you'll have to log in there again. The root cause is the same as with above. Specifically, any native app is uncapable of setting arbitrary auth cookies into the OS browser. I personally believe this restriction will not fall, because it would have a large security impact - just imagine how any app could set (and possibly get) cookies for any website.
If they've never logged in facebook from their Mobile, how will your website ever know them ?
Is it possible to do that without having the user install anything on their mobile device?
Like PC's, users in a mobile device need to login in their phone in facebook's website before being eligible to login "automatically" to your website. When I say automatically, I mean they still have to go with the first time process of "Do you authorize this app/website to do X things on your account". That message is inevitable when using facebook's api on the web.
Hope this answers your question.
Is it possible to do that without having the user install anything on
their mobile device?
No this would not be possible. You need to have a native or hybrid app (phonegapped etc) to make it work. Mobile web apps run in a browser sandbox and without native code interface - you cannot get to the native SSO of FB on your mobile device
Did you have a look at this facebook page ? I'm not sure what you ask is possible, as basav said, but maybe you'll have some clues there.

How does the Spotify Windows desktop application authenticate the user?

I noticed that the Windows desktop Spotify application asks me for my facebook username and password in the login screen. I am wondering what happens behind the scenes.
When I change my fb password in my browser I have to use the new password in the Spotify desktop app login screen. There are even situations when the Spotify desktop application shows me a fb popup where I have to grant permissions for Spotify itself.
I know that Spotify uses an embedded Chromium browser engine to do all the heavy lifting. But isn't it against Facebooks TOS to do it that way?
I mean, does Spotify posts my username and password to the facebook login.php and intercepts the result page to get my cookie? Is there a documented way to handle a login to facebook on behalf of the user in a proper way?
No, they are using an old and deprecated REST API method called auth.login:
https://developers.facebook.com/docs/reference/rest/auth.login/
Obviously I can't stop you using this in your own app, but given how old that API is and how fully REST API is now deprecated, it'd be a bad idea to rely upon it.
Instead, for Windows desktop apps, I believe Microsoft offers a Facebook C# SDK which will contain ideal methods for authentication. I'm more familiar with their newer methods that are offered for Metro Apps called Web Authentication Broker.
These pretty much just load a web frame inside the app, get the user to login to Facebook, then show the Permission Dialog (if required). From there, the app can store the UID of the user and presumably a long-lived access_token that they received upon auth. This way, they only need to ask the user to login again once every 60 days.
There are other device-based authentication methods offered by Facebook, but most are still in private testing, the only one that is currently recommend for desktop apps is stated on this page under the heading Windows, OS X and Linux native apps (at the bottom of the page).
Update December 2013: Because the Facebook Login docs have changed significantly since I wrote this answer, I'd like to point out a couple of new additions:
Manually Building a Login Flow details the steps that desktop apps can take to login users. What is new here is that Windows 8 apps can now use their deep-linking ID in the redirect_uri of the Login dialog, meaning it'll multitask back to their app from a Login Dialog when completed or cancelled. This is an improvement from the previous WebView setup, because a User's default browser will likely have them logged into Facebook already.
Login for Windows Phone is the special guide for Windows Phone 8 apps to use.

Is Facebook Connect (Login) a good solution for an app to use?

I have seen many web apps supporting Facebook Connect...
But when i login through those apps sometimes the authentication is successful but nothing is returned to the app and the login page just goes to a blank page in that new windows and stops... The whole process fails... And this has not occurred once but many times...
So my question is:
Is Facebook Connect a good solution to use in apps or should i use something like Google Login or Twitter Login or OpenID or just a simple password based login or all of the things and let users choose what they want?
And if your answer is app the solutions then wont my database become messy and the app slower because it has look for more data now?
I know it depends on various factors but I just want your opinion, what would u choose and why?
Supporting Facebook connect as login function make sense only if your app has something to deal with Facebook (which is the most of our app today ;-)).
The behave of some app when sucessfully Authenticated and then Authorized is up to these app.
FB login give you all the tools to build you own user experience.
The things become a bit more difficult when you want to introduce FBConnect within already existing login base, while you have to find a way to bind the Identified FB user with your user account.

Facebook Open Graph without a browser

For a middleware system with internet (which works inside a set-top box) I want to develop a primitive Facebook interface where users can type their user-names and password, showing their latest notification, messages and other casual stuff on the TV screen by using the recent Facebook Graph API.
This middleware program uses Java ME to run programs (such as this simple facebook app) and it can connect to internet however it doesn't have a real web browser. Without browser it can connect to any url to retrieve the JSON response however I am not sure how to achieve authentication without a real browser.
Under this circumstances, is it possible Facebook authentication? If you think so, what approach would you suggest ?
Thanks
Facebook provides trusted partners with a private Authorization API to get an OAuth 2 token from a username / password.
A more complicated approach would be doing something similar to how Netflix enrolls a device:
device calls server to obtain a Code
device shows code on screen and directs user to go to URL on server and enter Code
server redirects user to Facebook and obtains OAuth token, user told to go back to device
device calls server with Code and obtains OAuth token
device can now make calls directly on behalf of user
According to this documentation on "Desktop Application Authentication" I don't believe your desired result is possible:
Facebook's OAuth implementation does not include explicit desktop application support. However, if your desktop application can embed a Web browser, you can add Facebook support to your application easily using the same OAuth User-Agent Flow used by JavaScript clients.
However, it is clearly possible for certain vendors to do this, since Microsoft's Xbox 360 Facebook application does exactly what you are proposing. I'd be interested to see if anyone has dug up any API for doing this that Facebook doesn't want in their most obvious documentation.
This isn't an answer but I'm trying to do the same thing. Check out this guy's blog which uses another server to proxy the requests:
cory wiles blog
If you figure it out please post a detailed answer here so I can do it to.. :)
I think it is possible though it is pretty complicated and subject to sudden changes of Facebook interface. It might break the agreement between you and Facebook.
What you do is to emulate the Facebook.
One path you have to set up a Facebook application. Once you got the authorisation from user, you can to something with Graph API.
You need to the Facebook log-in process and authorisation process. There are some capturing tools on http/https request and response. Analyse them, both header and body.
Once you know the authorisation mechanism, you can replace it with you own. Everything afterward is on Graph API.
Another path is to emulate Facebook login and message and notification process. Capturing and analysis is needed.
In the past I have used a tool called screen-scraper (full disclosure: I used to work there) to automate logging in to facebook. Basically, it imitates a browser session; it allows you to set session variables (i.e. username, password) which would then be submitted to facebook, just as if the user had submitted them in a browser.
You may not be able to use screen-scraper in your set-top box environment (although it is java-based, so it's possible it would work). Even if it doesn't, you could implement a similar strategy in java, making the HTTP calls a browser would make to load the login page and submit the user's credentials. To keep the user's info safe make sure whatever HTTP client library you use supports HTTPS.
Proxy tools and extensions like Charles, Fiddler2, Firebug, Chrome's dev tools, etc. are helpful in seeing exactly what the browser is sending to the server in requests.