where am I supposed to use the OAuth Dialog? - facebook

on the facebook developers site it recommends using the OAuth Dialog where you use
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_CANVAS_PAGE
replacing the the YOUR_APP_ID and YOUR_CANVAS_PAGE with what you have
my question is where am I supposed to put this?
do I put this somewhere on my index.php for my canvas page?
or aside from creating your app, do I need to make a website where info of my app should be displayed together with a link to my app using the OAuth Dialog?

You need to create website that will have the content of the app, since facebook will display it in the iframe.
As for the link you mentioned, it is used to get permissions (basic information, user's email etc). If you need that kind of information about the user, you have to redirect him there so he can grant the permission. If your app doesn't require any information about the user, you can just skip the authorization part.

Related

How to require user to login fb before accessing Facebook Canvas App webpapge directly?

I am new to Facebook App. I am developing my first Facebook Canvas App which links to a webpage hosting on my server.
I can now access the app by either:
(1) go to the Facebook App (http://apps.facebook.com/myappname), or
(2) directly access the webpage through URL(http://mywebsite.com/myapp).
I have set http://mywebsite.com/myapp as my canvas page in FB dashboard settings.
I want to avoid (2) by requiring user to login FB first before they can access the page. I would like to know how can I do that?
This may be a stupid question, but I have read the FB API documents (FB official guide talks a lot about setting custom login page) and searched through a lot of questions but they doesn't seem to fit what I need.
UPDATE:
I have tried something like putting the following in my webpage:
<script> top.location.href = 'http://apps.facebook.com/myappname'</script>
In this case, if user access the page by (1), there's no problem. If user access the page by (2), user will be redirected to Facebook.
However in the client side we can still view the content of the webpage even if user is not logging in to Facebook. I want to achieve this in the server side.
Thank you very much!
I have already solved the problem by using examples from Facebook PHP SDK version 3.
https://github.com/facebookarchive/facebook-php-sdk/blob/master/examples/example.php

Facebook account to replace registration?

I'm new to all this. This is what i'm after and i'm sure it's possible.
I've got a script where people can register/login in to as members. What i'd like to do is tie it in so that it just uses Facebook users details for the registrations. I've managed to set it up to sign up and and complete a registration using a user's name and email.
What i'd like to do now is automatically log the user in if they're logged in on facebook, is this possible or will they need to click a login button that then takes them to their page? If they need to click a button to login, how do I go about getting the button to take their facebook details and log them in? Also what happens in regards to passwords on my site? Is that stored in the app somehow?
Ideally i'd like to use the popup version of verification rather than the iframe that i've got set up at the moment.
Cheers in advanced for any help for a n00b!
This is in fact possible. Although I for my part was never a fan of such things here's some human-readable (simplified) theory:
Facebook uses a system called OAuth ( http://de.wikipedia.org/wiki/OAuth ). That means, when you want to have the user login onto your site using Facebook you'll of course need to provide a button/facebook-login-frame (see documentation) that says "Log me in with Facebook" or so. You then access Facebooks API (more here: https://developers.facebook.com/ ) and basically tell Facebook who you are ("Hi I'm website XY"). While that happens your user is redirected to Facebooks "permission-landing-page". On that page he needs to confirm whether he is fine with your website accessing certain information (like his name). If he confirms your website receives an access-token granting you access to a subset of his user information which you can then use to personalize his expeirence on your website.
Check out facebooks documentation because they explain exactly your usecase in detail.
(here: https://developers.facebook.com/docs/authentication/ )
PS: You'll of course never have any access to his Facebook login/password. That's kind of the idea behind "delegating" the authentication via OAuth to Facebook. Facebook only provides you with an access token (bound to that particular user who logged in and granted your app/website permissions)

Facebook authorization within non-facebook iframe without redirecting

I have a facebook application (not written by me, but have some control of its content) and its designed to run as a canvas iframe app, using the new(er) OAuth login stuff. I want to embed it in an external (i.e. non-facebook) iframe , which works fine when authenticated + authorized as its just a page that talks to facebook.
However, when not authenticated + authorized to run the app, obviously it needs to ask for permissions/login. It does this by redirecting to the relevant auth pages, which works if you do top.location.href, but I'd really like to do it within the iframe e.g. using self.location.href . This doesn't seem to be permitted by facebook as instead of redirecting you to the right page you get a facebook logo and a link to bust out of the iframe and go to the auth page, which I don't want to do.
Is it possible to handle the auth stuff within the iframe, and if so, how? Would really appreciate any info on this!
You should use JavaScript framework of facebook-connect that open a pop-up for permissions
Check this tutorial
http://thinkdiff.net/facebook/graph-api-javascript-base-facebook-connect-tutorial/

Is it possible to post to Facebook without using Facebook Connect dialogs?

I would like to post updates to Facebook from my iPhone application. I know that there is a Facebook Connect project, but it requires displaying dialogs for entering user's credentials, dialog for posting content, etc. I would like to be able to get the credentials from application settings and post whatever the user put into UITextView.
Is it possible? or am I stack with Facebook Connect?
Thanks!
You need to use Facebook Connect to authenticate and let the user set privacy settings for your app on their profile. You might technically be able to write all the authentication code yourself (see Facebook's Developers page about authentication) but why bother when the experts have done it for you?
You can then use the Facebook Connect API to do whatever you need to do with Facebook, assuming the user has give your app permission to do so.

How to make a website that functions as a website and a facebook app?

I have a website based game that has login accounts that I want to integrate into facebook (not facebook connect, I want to use an iframe canvas page).
My question is how can I authenticate a user and how can I check if a user is coming from facebook or directly from the site.
I have been playing around with require_login() using the PHP library. My main fear is how can I authenticate that the GET parameters from facebook are indeed from facebook? If I can do that then I can store their facebook session id and Uid in a session as login credentials.
My other worry is that the GET variable may get passed as a reffer to an external link.
Finally... I find in some browsers that with require_login() that it breaks out of the iframe and gets into an eternal look continually adding additional authtoken's to the URL.
Hope someone can help
Yes you can create a app that works independently as well as facebook app. For the facebook you will have to use the facebook's iframe method to work under facebook.
You can verify the request comes from Facebook by verifying the signature in the same way that Facebook checks that API requests come from your application. With the PHP client library you can use the validate_fb_params() method of the Facebook class to do this automatically.
Bear in mind that session key's are temporary so the user will keep needing to authenticate with Facebook through your application otherwise the key expires within the hour. You may also run into a 3rd party cookie issue with Safari if you're hoping to store the session key in a cookie, and you'll need a compact privacy for quite a few other browser/privacy setting combinations as well. Something like:
<?php
header('P3P: CP="CAO PSA OUR"');
?>
in an include would do it.
And yes: the session key may be passed to external sites as in the referrer properties. It's just one of the security flaws that the platform currently has. The only way around that is either to redirect all external clicks through a handler which removes the referrer, or redirect on page load to strip the fb_sig_ss parameter out.