I have a game where I want to track user logins/installs. I need to be able to detect when a user was just redirected to my app from the authenticated referral dialog. Since we cannot specify our own redirect_uri after the user authenticates, nor does Facebook append any sort of flag for canvas apps - is there any way to achieve this?
3 Auth Token Parameter: If Authenticated Referrals is enabled and when a
user authorizes your app through the in-line Auth Dialog, we will pass
your app the Auth Token in the format specified here. Available
formats: URI Fragment: if your app is using client-side
authentication, Query String: if your app is using server-side
authentication. If your app is a canvas app, we will not use this
setting and will use the "signed_request" as the response type
automatically.
Based on that information from http://developers.facebook.com/docs/opengraph/authentication/, I would suggest you read the signed_request and see if the auth token is there. If the token is there and that id is already in your data store, you dont log is as a new app install. If the token is there and that id is not already in your data store, then you can add the user to your list of app users in your data store and track it as a new install.
Related
I'm writing a React app that needs to have a login with Facebook button.
The React app is already communicating with a PHP API that already has a system in place for registering and logging in users with a username/password. The API generates a JWT and sends it to the front-end, which stores it in local storage and uses it to authenticate the user on subsequent API calls.
I've gotten my front-end app to the point where I'm successfully opening the FB permissions dialog, and receiving a response from FB that contains a userID & accessToken after the user grants permission.
My question is:
Do I need to store the FB accessToken if I don't need to access FB's API afterwards? Can I simply store the userID and use it for authentication?
My proposed auth flow would look something like this:
User clicks login with Facebook button, grants permissions in the dialog.
My React app sends the userID to my PHP API.
The API looks up the user in our DB by FB userID. If it finds one, it sends back a valid JWT, logging in the user.
If no user is found, the userID will be stored in the app's state, and it will begin the registration process, passing the FB userID along with the rest of the registration data when the user completes registration. The API then generates a JWT and proceeds with login like normal.
Would this be wildly insecure and a would be hackers easiest-day-ever?
Or is it safe to implement?
I am developing an application using xamarin.Here I am using xamarin auth component for facebook authentication.I am able to login and get users info and able to save them in local DB.Xamarin auth component has provided option for storing account object so that when user relaunch app ,we can use that account object to login.
Here comes my question: If user changes password on facebook account from site then what should be done when app is relaunching,as stored account is local we can't use that info to login again.
Thanks.
Any suggestions are appreciated.
Actually you are supposed to use the access_token for subsequent queries towards Facebook after the first successful authentication. With OAuth, you won't store password in your app. I would expect that when a user changes the password within Facebook, the old access_token might expire. In this case, you'll have to make the user manually re-login. This is the case anyhow when your access_token expires for any reason; keep in mind that all access_tokens expire after some time.
You can easily verify if the access_token is still valid by sending some basic request in the background. If you get an autherror response, just prompt the user to login again when it makes sense in the flow of your app.
I am bit stuck with facebook authentication in my wp7 app.
What I have right now:
login page with WebBrowser control
I can get access_token from facebook
Save it to phone IsolatedStorage
What I want to do is to skip login page if the user is already authenticated, but I don't really understand the flow, what condition should I check.
On server side I have REST api, when user is authenticated I get his personal information from facebook and call my api to store this information in the database + access_token. Then I used it with all requests to secure my api. Is it good approach?
You don't really check a condition. You try to do whatever it is you want to do with the access token (post status, upload picture, or whatever) and then, if you get an oauth exception, you go and bring up the browser again to get a new access token (browser will just flash - it won't require any user input unless they actually changed their password or something)
The instructions on using Single Sign-On (SSO) with the Facebook IOS SDK are to save the access token and expiration date in fbDidLogin and use them on subsequent calls to avoid unnecessary logins.
But what if the user logs out of Facebook outside the app (e.g. in the Facebook app or in Safari)? The app doesn't know about this, so it tries to use the saved token and expiration date, and to my surprise - they are still valid and the app can access the user's data even though the user has logged out.
Any way around this?
no, there is no way to do this. each FB login a user makes is specific to the client they logged in with. A FB login is not universal across all clients. The FB token you get from the SDK is a token for that user with your app. So if a user logs out of FB in their browser or another app, they have not logged of FB from your app so the token will remain valid until it expires or the app or user explicitly logs out from the context of your app.
Not sure why you are concerned about this. Generally you would want your users to remain logged in. If you have a reason you don't want this don't request "offline_access" permission when you authorize a FB user and you can also logout and de-authorize the user via the FB API based on whatever criteria you deem appropriate.
I wonder is it possible to access user's wall info without passing his/her access token?
for example, I will just pass my app secret token and app id. and FB user already allows to access his/her info from my app. Facebook does the checking and matching of my app and my app's user by just using my app secret token and app id.
Because I found some topics similar to that.
http://forum.developers.facebook.net/viewtopic.php?pid=9172
When I check Rest FB doc,it says like that.
http://restfb.com/javadoc/index.html
public DefaultFacebookClient()
Creates a Facebook Graph API client with no access token.
Without an access token, you can view and search public graph data but can't do much else.
I doubt that it will work or not without access token.
can everyone share me ideas or any possible similar approaches ?
Thanks.
You will need to ask the users to authorize your app for offline access. You will be able to access the user's wall even if the user is offline, but you still need the access token. It is part of Facebook's security measures.
There are two types of access tokens:
Session based: expires in a short term, are used when the user will be logged to FB every time you need to perform an operation.
Offline access: do not expire and allow the app to perform operations for the user in any moment. This requires the offline_access permission when the app is authorized.
Check here: http://developers.facebook.com/docs/authentication/ for the oauth mechanism and here: http://developers.facebook.com/docs/authentication/permissions/ for the permissions list.
The REST API is deprecated and it is strongly suggested that you don't use it anymore. Furthermore, from this October you will be allowed to use only the Oauth2 authentication (see When is Facebook turning off their session based auth?)
Without token you can only access public information.
Public data
From RestFB homepage :
// It's also possible to create a client that can only access
// publicly-visible data - no access token required.
FacebookClient publicOnlyFacebookClient = new DefaultFacebookClient();
If the user does not protect his posts, then you can access everything without token. But most of user do protect their data and then you need a valid user access token to read the data.
Private data
When you say "FB user already allows to access his/her info from my app" it means that the user has clicked on "Allow app" in the web browser and at that moment here Facebook will give you a token. You can after use that token with RestFB :
FacebookClient facebookClient = new DefaultFacebookClient(USER_ACCESS_TOKEN);
User user = facebookClient.fetchObject("me", User.class);
out.println("User name: " + user.getName());
By default, the token will expire a few hours later. If you ask for the offline_access permission, the token will be valid for ever (as long as the user does not remove the permission for your app in his settings). You should store that token in your database to be able to use it when you need.
Get the user token
You cannot get the user token with RestFB. On the RestFB homepage, you can read :
Non-goals: [...] Providing a mechanism for obtaining session keys or OAuth access tokens
Because you need a browser to do so : the user has to authenticate and authorize your app on Facebook website (the popup that shows).
What you can do is to have a PHP page on which your users have to go to authorize your app. You can read this stackoverflow answer that explains how to use the Facebook PHP SDK to do so.
Hope that helps !