With the new Authenticated Referrals in the new FB auth system, the user logs in before even hitting my app.
My question is, is there any way to detect when a user has just come from one of these authenticated referrel dialogs? For example, by specifying the redirect_uri on them and appending some GET params.
If you go to https://developers.facebook.com/apps/YOUR_APP_ID/summary you can set the domain and the website of your application.
Facebook, for security reason will only redirect to the website you set here passing you some parameters in the HTTP GET url (for example the access token just generated for that user), to decide which of these parameter you want to receive you have to go to settings -> auth dialog then at the bottom of the page Authenticated Referrals -> Auth Token Parameter.
EDIT:
If you want to be sure that an user just used the auth dialog you can use a simple workaround: read the access token from the url, then check if this is the 1st time you see this token, if so you can test the validity of the token by performing a simple operation that the particular user accepted you (or better your facebook app) can do with his profile.. The easiest way is probably to send a request to:
https://graph.facebook.com/me?access_token=...
If token is valid then it IS reliable.
I've been working on this problem myself. It would have been a lot better if Facebook just passed auth_ref=true or something. Anyway, I came up with a system that seems to work for me using cookies.
I already have a page that I use as the redirect url for the fb auth dilaog. This page initializes the user and sets a cookie. If that cookie is not present and the signed request has a token, then I redirect to this page. I can't tell if the user either came from an authenticated referral or some other path like a bookmark, but it doesn't matter for my purposes.
You can see the details at:
http://developsocialapps.com/authenticated-referrals-facebook-apps/
Basically something like this:
// on somepage.php
if (signed request has token && url is not redirect page && user doesn't have cookie) {
redirect to redirect.php;
}
// on redirect.php
set cookie;
redirect back to somepage.php
Related
I had made a Facebook APP for authorization of users on my Website, I am using OAuth Method. In My Site i have kept a Feature called "Login in With Facebook", when user clicks he gets redirected to Facebook with link
https://www.facebook.com/v2.2/dialog/oauth?client_id=<ID>&redirect_uri=<mysite>&state=<some random hash>&scope=
This looks fine enough, Now Facebook asks for Allow and when Users clicks allow, I get a URL Back on my site with a Special parameter called &code= .. It looks like
http://mywebsite.com/facebook&code=<some huge Random code>&state=<hash>
Now, i would like to know what exactly is code= parameter value says, is it the access Token of the User because i don't see special parameters like access_token=. So can somebody tell me what is code means in OAuth and is it same as Access token. ?? How can i verify it.. Please input your thoughts
Your app needs to exchange that code server-side for an access_token
There's specific documentation for this flow but essentially you take the code, your app ID, app secret, and the redirect_uri you used when opening the dialog initially, and make an API call to exchange the code for an access token
You then use the access token to make API calls on behalf of the user
Facebook's server-side login process mentions that the server should provide a 'state' variable during the request to Facebook. It acts like a CSRF token in which Facebook will pass back to login-callback page for our server to verify.
However I am not sure why this is necessary. If we do get a bogus login request, we still need to get the access_token from Facebook using the ?code= of the login request. A bogus request will not have the correct code, therefore won't work correctly.
Furthermore, a user can access our server through Facebook App's link. Facebook automatically adds a ?code= param to the link so our server can/have-to auto login the user. If we are to use code provided by this referral, we have no state param to verify anyways, and Facebook seems to not care about it either.
Is state optional? Does it really provide extra security?
The state parameter is optional. It may provide extra security if your service can put some information there worth keeping. Usually the state parameter is used for keeping data about the state of the session for the current browser window (as opposed to data dealing whole session which can be handled with cookies).
An example of using this feature for extra security would be doing following:
User visits your site
Your site sets session cookie (e.g. Set-Cookie: id=xyzrandomstuff)
User tries to do something that requires doing facebook authentication
Your site creates CSRF token that can be used with session id xyzrandonstuff and puts that in the state parameter for the facebook login
User completes login at facebook (you cannot see this)
User comes back from facebook with code and state parameters.
You verify login with code and before completing the action started at step 3 your server verifies that the CSRF token matches the current session.
I have created an App on facebook and I am using this app to authorize an user via dotnetopenauth.
Here I would pass APPID and APPSECRET and get the token which would be used to call Facebook Graph to get facebook user details.
If I'm doing this for the first time, user would be asked to enter username/passowrd on the Facebook website and then the session is created in the browser and it will redirect to my website as a Facebook user. This means that if I open a new tab in the current window and open facebook, user will see his/her page directly without asking for username/password. - this is obvious and understandable.
// code
request = WebRequest.Create("https://graph.facebook.com/me?access_token=" + Uri.EscapeDataString(strAccessToken));
response = request.GetResponse();
My query is:
After the scenario above, if user logs out from Facebook website OR I close the browser window, the facebook session is lost. However, I still have the access token (string in the above code) that I got while authenticating.
So, As of this moment I am not storing any user information from Facebook (not even cookies or anything else). I am just requesting user to authorize my application as a Facebook user. When user does that, I get the access token which I can use it to make calls to Graph and REST APIs. This access token usually remains same, so I really dont need to pass the applicaition id and secret to get the token next time onwards. Actually I can request the graph APIs and REST APIs with the stored token and request user details. I have tested this and works fine.
What I am looking for is, if user opens www.facebook.com, user should see his/her personal facebook page which obviosuly is possible only if I have a session in the current browser. Hence, my question was: how do I use my access token OR what call should I make with my access token so that I can set the browser session for the facebook user? Is it possible technically?
Regards,
AG
No. Your access token is used by your web server to call facebook. It's impossible (and undesirable) for this to impact the user's browser in a way that would set a facebook.com cookie so that the user would be implicitly logged into Facebook by your use of the access token.
I have an app with a login screen with a button that invites users to login using facebook.
That authentication part of the integration works fine. I have also parsed the returned cookie variable to obtain the userID. The next step is to obtain the users information.
I found this stackoverflow article Difficulty parsing string with Facebook one click sign on and ColdFusion which says
Once you get parsed signed_request (stored in your cookie) you can use
user_id (which is Facebook User Id) and oauth_token (aka access_token)
to get needed info via Graph API or FQL.
But, how do you obtain the access_token the poster speaks of? It is not in the cookie variable (that I can see anyway).
Sorry for being such a noob. I got twitter working easy. Facebook is a pain.
https://developers.facebook.com/docs/authentication/ is your friend. Read the server side flow section.
"If the user presses Allow, your app is authorized. The OAuth Dialog will redirect (via HTTP 302) the user's browser to the URL you passed in the redirect_uri parameter with an authorization code:
http://YOUR_URL?code=A_CODE_GENERATED_BY_SERVER
With this code in hand, you can proceed to the next step, app authentication, to gain the access token you need to make API calls.
In order to authenticate your app, you must pass the authorization code and your app secret to the Graph API token endpoint - along with the exact same redirect_uri used above - at https://graph.facebook.com/oauth/access_token. The app secret is available from the Developer App and should not be shared with anyone or embedded in any code that you will distribute (you should use the client-side flow for these scenarios).
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE
If your app is successfully authenticated and the authorization code from the user is valid, the authorization server will return the access token:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission."
As I understand it, this is the basic process for new Facebook iframe canvas apps using the OAuth2 API in a nutshell:
Redirect to (or have user click link to) app's authorization URL
User authorizes and is redirected to your callback URL
Callback uses "code" parameter to get a access token
Access token is used with Graph API to pull or push information
The problem is that access tokens expire relatively quickly and need to be "refreshed", so my questions are 1) how do you detect that the token has expired aside from trying to use it and simply getting an error? and 2) what is the best practice for obtaining a new token?
Currently, I just detect that there was an error trying to get the user's information with their access token, then redirect to the authorization URL again -- since they already authorized the app a blank page flashes by and they are redirected back to my app callback where I get a fresh token. It's so clunky I can't believe this is the proper method.
The only way to tell if a cookie is valid is to use it and catch the error if it is expired. There is no polling method or anything to check if a token is valid.
To get a new token, simply redirect the user to the authentication page again. Because they have already authorized your app they will instantly be redirected back to your app and you will have a new token. They won't be prompted to allow since they have already done that.
In short, there are no tricks to this. You are already doing it correctly.
Recently, facebook has made some changes to access tokens which allows them to be refreshed periodically.
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
For more details, check here: https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal
//you just need more step because the access token you are getting will expire in 1 hour
//you can overcome this in step 5
1-Redirect to (or have user click link to) app's authorization URL
2-User authorizes and is redirected to your callback URL
3-Callback uses "code" parameter to get a access token
4-Access token is used with Graph API to pull or push information
5-exchange short-lived access token you just got with 60 day access token
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN
6-after 60 day the user must login again to your app and the steps from 1-5 will be repeated.
--the real problem you will face is how to make the user visit your app page again
Facebook has removed the feature of refresh the access token on the "behalf of" mode. The best and easy way is to redirect the user to facebook login page to re-oauth the app.
Find facbook doc here
if user has already authorized your application and access token expired. you can redirect user to authentication page again. but oauth dialog doestn't show because user already authorized your application. he will redirect to redirect_url parameter you used.