I'm creating a site that allows users to register/link Facebook/Twitter/Google etc to their accounts.
When authorizing via OpenID and OAuth/OAuth2, what tokens do I need to preserve so that I can make sure the app can update their Facebook status / Twitter wall?
Well all you need to take care of preserving the access_token in all cases.This token is basically last part of any handshaking mechanism and with the help of this you will able to communicate with the Open-ID/OAuth party.
Related
Recently I've been doing some research into OAuth and OpenID/OpenId Connect and it's all just left me confused as to what is best to use and what is safe.
Originally I thought you could just use OAuth2.0 to log a user in (using their ID as a way of remembering the user) but then I found out that due to how the spec of OAuth 2 works, hijacking tokens would allow a malicious user to impersonate another person. Which is why it's stated that you shouldn't use OAuth 2 as authorization.
But then I have been reading that providers as such as google and facebook have decided to go away a little from the standard and ensure that such attacks are not possible. So my question, what OAuth providers are safe to use to gather a users ID to be used to log them into my service.
Also, facebook is offering another service called facebook login. From what I can tell it's OAuth but without the impersonation issue (obviously) AND the app creator cannot do other OAuth features as such as posting on behalf of the user without getting their app reviewed by facebook. Why would I use facebook login over OAuth which gives me all those permissions without review?
Thanks a heap everone
I want to enable my users to associate their user account with a Facebook or Twitter and allow them to login on my server with their Facebook/Twitter account instead of using the classic username/password. Basically the same idea as the login in StackOverflow.
My current approach for Facebook:
The client application will perform OAuth and then use their Facebook id to login on my server. Based on this Facebook id, the server will lookup the associated user account and perform login without asking for username/pasword. However just relying on the Facebook id to login is not very safe, as that is the same as using only a username to login instead of username & password.
So to make sure the Facebook id is authentic, the client application will also provide a FBSR (Facebook Signed Request, see: https://developers.facebook.com/docs/facebook-login/using-login-with-games/#checklogin) with the login request.
The server will check two things with this FBSR:
The Facebook id in the request must be the same as the one hidden in the FBSR
Server will recalculate the signature part via the Facebook secret key. This must match with the signature in the FBSR .
Normally the server should perform a check with the Facebook server with the oauth_token to be 100% sure of the users identity. However I need skip this in order to avoid dependency to Facebook server on our server.
I have 2 questions:
1) Is this above approach good enough? Can it be improved (without server-to-server communication)?
2) I want to do the same with a Twitter account, but the their signed request is different then Facebook. It seems the Twitter user id is embedded in the oauth_token, so my approach may work with a little tweak, but I am not sure whether the user id is always part of the oauth_token and cannot get this confirmed after searching the internet.
I think that your approach is good enough and don't see any way to avoid server-to-server communication with a signed request. Bear in mind that, with Facebook Graph Api Version 2, in order to protect the privacy of the user, Facebook will send out not the real user id, but one generated for apps. It will also be possible to enable anonymous login.
I am not sure of what you're trying to do with Twitter, and why you compare the APIs (they're quite different). The Twitter login, also know as Sign in with Twitter, used for any website or mobile app, should work for you too.
On my app the user can sign to Facebook and the app then has the user's access token (say it's 'abc'), I want to use this token to create a user on my own server.
Is it safe to send this access token to my server (using SSL), then get the user's username and ID using https://graph.facebook.com/me?access_token=abc on my server and check that the application the token belongs to is mine with https://graph.facebook.com/app?access_token=abc. If it is my application I then store the user in my user's database and/or log them in.
Can this system be fooled? Can you think of a way someone could log in as someone else?
You should check out all of the Authentication documentation and the Oauth spec to see the different auth flows available
Broadly speaking, you can create a user on your server based on the access token, and be reasonably certain that when you get an access token from Facebook for the same user ID that it's the same person.
If you require very high security for the app you can take steps to ensure the user's access token wasn't produced via malware or the Facebook user being tricked, there's an example showing protection against CSRF in the Server Side Authentication documentation, and there's also a reauthentication flow you can use
I assume that you are using facebook sdk for this, if so the facebook sdk takes care of the security for you and you don't have to worry about a thing.Supposing that you are accessing the api without the sdk then there are two things that must be noted:
1) Auth token expires frequently(facebook has taken great pains to ensure that the user is protected)
2)Making a request with just auth token is not enough there are some other parameters that are needed that can't be faked especially if you are doing this server side since an extra layer is added that fb calls server flow authentication
3)On top of that there are a lot of permissions that are in place that the user has to give in order for an application to access some data.The link below provides a nice article on authentication you can take a look
https://developers.facebook.com/docs/authentication/
So long story short it is safe.
I need to post message on a certain FB page as a owner by cron, using php and ZF 1.1.X. For this small issue, I don't want to create a full OAuth stack. Is it possible to communicate with FB API (it's desirable, PHP SDK for FB) without it, such as twitter with his precreated access tokens (Access token, Access token secret)?
As long as you need an active user access_token to retrieve desired data this is not possible to skip OAuth flow.
Without authenticating user you only have application access_token (in old format APP_ID|APP_SECRET, but it's still works) and only limited access to most of Graph API endpoints and Application settings.
Actually there is nothing hard in implementing the user authentication with OAuth flow and it is completely transparent with usage of PHP-SDK.
Just look at the sample code in documentation for server-side authentication
Yes, you need to build an app and then authorize the page via the app while requesting the manage_page permission.
You should make yourself familiar with the Server Side Auth process as well.
I have an application that used to use offline_access, which obviously needs changing since that's going away.
We use this permission to publish messages to the facebook wall of a user when they interact without our backend through any number of APIs. We have a website, several mobile applications on iPhone, Android, Blackberry, and Nokia phones that connect to the application, as well as a desktop application that interfaces with hardware devices and all of these can cause the backend to attempt to publish to facebook, but only the website allows the user to make the initial authorization with facebook.
From what I understand, using server-side authentication gets 60 day long tokens, and the only way to get new tokens is to redo the authentication process which assuming the user hasn't changed password, is logged into facebook, and hasn't de-authorized the application will appear as nothing but a series of automated redirects.
Is there any other way to do this? For example, what exactly does fb_exchange_token do? Is it applicable in this case or does this ONLY apply to tokens received via the javascript API?
Is there anything we can do for these non-website user interfaces aside from incorporate the native facebook APIs and do the same thing for as the website?
Attempting to use fb_extend_token was pretty fruitless. Rerunning the standard authentication returned the same token but with a fresh 60 day expiry time. Doing it again a short while later didn't extend the token. I'm hoping this means I can only do this once a day, not once per token.
Since I was using the server-side flow and the keys would never be seen by the user I was able to rework my app slightly to use my APPLICATION token. These keys belong to your app and allow you to use the API on behalf of a user for as long as they haven't revoked their permission. The user authorization tokens can expire, but as long as the user hasn't explicitly removed your app from the apps they've allowed, your token will continue to allow you to post to the wall using a /user/ URL, the /me/ URLs won't work because your token is bound to your app.
I believe once the deprecation of offline_access is complete, obtaining/exchanging access tokens is the only way to do what you need.
Anyone who had offline access before the deprecation will still be able to use your application normally, for 60 days at least. Once this period is over, you have to re authorize users and extend their access tokens for another 60 days. To do this you have them log in, and authorize your app (if necessary). Then you extend their access token using fb_exchange_token, so it is good for 60 days.
I'm sure you have seen it, but it's all outlined in this article, more specifically the section about previously using offline_access. I also found this post useful for doing an upgrade. Here is another link that further details how to deal with invalid tokens.