I'm trying to create a custom Authorize attribute for my MVC 3 application. I know that there is a default FacebookAutorize attribute that checks if the user is logged in. The reason why I want to create a Custom attribute is that the user is able to create an account with Facebook or without (default membership) Facebook.
Now when the user is logged into facebook I want to get the connected membership account and call the FormsAuthentication.SetAuthCookie method to login.
When I run my application in VS2010 (F5) the user is not logged in so you get the login page. When I click the login button and redirect to the homecontroller index action I see in the custom attribute that the FacebookWebContext.Current.IsAuthenticated() methoded is true.
After I close the browser and hit F5 again in VS the website is navigated to the homecontroller index again. In that moment the custom authorize is called again and I see that the FacebookWebContext.Current.IsAuthenticated() returnes false.
Why is it false? I was already authenticated right?
Thanks
download the latest source code and checkout "CS-AspNetMvc3-WithoutJsSdk.sln" sample which demonstrates the use of FormsAuthentication and Facebook OAuth.
Related
I'm doing a private beta and the only login method is through facebook.
The problem is that anyone with a facebook account who can see the facebook login button can login. If you have standard e-mail authentication then you can use a token to access the sign up page and then login regularly going forward (any users who try to login will just get denied). However, with facebook login we don't know if they've registered yet. I do have cookies but if they login from different devices then we still find ourselves in this same predicament.
I'd like
users with access to be able to sign in easily
users without access should not be able to sign in
Possible solutions:
have users enter their e-mail address or code to then expose the facebook button (if a code is in the url then you can make the api call without user input, or you can make an api call after a user enters in their e-mail)
always follow the same link to login (with a code attached)
Is there a preferred method of solving this problem? Anything that I'm missing?
I've created an app that works fine, however if the user has not authorized my app yet, they have to do the following (assuming they are in facebook AND logged in) -
go to my app
click login/authorize
popup with facebook permissions opens
accept in the popup
However I noticed with Zynga games like Mafia Wars 1/2, Farmville etc, when you go to the app, if it hasn't been authorized, it takes you straight to the permissions which is in a PAGE and not a popup, thereby eliminating one step. Also, the permissions dialog is full width, there is not app sidebar.
Does anyone know how I can duplicate this flow? It would be much easier to have users authorize within a facebook page rather than through a popup. How can I get permissions inside the page?
thanks in advance
Once user visit a Page tab with your application you can check if he is connected with your application by comparing Page ID with User ID in signed_requests, for unauthorized users ID's will be same. In that case you can start authentication flow by redirecting user's browser to "login url".
If you want it to be full page just do the redirect with JavaScript like this:
window.top.location = 'https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=COMA_SEPARATED_PERMISSIONS'
If you using PHP you can construct Login URL by calling Facebook->getLoginUrl method.
Read the docs on Facebook authentication
How can you detect if a user previously authorized a tab application, without showing the user an authorization dialog? This is a user experience concern. We don't want to throw the user at an authorization dialog without a call-to-action, but we don't want a call to action to be shown to log the user in if the user previously authorized the app.
Here's the scenario. A tab application is hosted on a page that has several other applications. In Facebook, the 'Like' button does not work at the tab level but on a page level, so a user may have liked a different application without having seen the current application. Therefore, if any 'Like gate' is used on the landing page of a tab application, and authorization is required to use the app, then when we log the user in the user will be immediately shown the authorization screen without a call to action, unless we can detect that the user previously authorized this application.
You could use the javascript SDK and check the login status to see if they have authorized your application. If they have, you could redirect with javascript elsewhere or make the calls you need. If they haven't you could then show the call to action on your page. Something like:
FB.getLoginStatus(function(response){
if(!response.authResponse){
// redirect to authorization page
top.location.href="http://www.facebook.com/dialog/oauth?client_id=appid&redirect_uri=http://facebook.com/somefanpage";
// or instead show a call to action div
} else {
//load fan page specific content
}
});
But this will only tell if you if they are currently logged in and authenticated with your application or not. The only way you would be able to tell if this is a returning user vs a brand new user is if Facebook sent over the userId in the signed_request like ifaour mentioned (then you could call /userId/permissions with your app access token or look up in your database), but Facebook most likely won't send the userId since your users probably aren't authenticating with your individual tab application but a different shared application key.
Well Facebook will send the user id in the signed_request only when the user authorize your application. So as long as that piece of information is missing then this means the user didn't authorize your application yet i.e. show the auth dialog (or redirect to auth screen)!
More about this in the Page Tab Tutorial:
Integrating with Facebook APIs
When a user navigates to the Facebook Page, they will see your Page
Tab added in the next available tab position. Broadly, a Page Tab is
loaded in exactly the same way as a Canvas Page. Read more about this
in the Canvas Tutorial. When a user selects your Page Tab, you will
received the signed_request parameter with one additional parameter,
page. This parameter contains a JSON object with an id (the page id of
the current page), admin (if the user is a admin of the page), and
liked (if the user has liked the page). As with a Canvas Page, you
will not receive all the user information accessible to your app in
the signed_request until the user authorizes your app.
Hey, I've been looking for a solution to this particular problem for a few days now with no luck. I'm working with Community Builder for a login page to a Joomla website. The site has some pages that require the user to be registered to have access to, and if they try to view the page without authentication they get redirected to the CB login page. The problem is that, after providing the proper login information, the user is sent to the index.php page. I'm trying to find something through code or plugin that'll allow me to redirect the user back to the page they are trying to view after logging in. Does anybody know of a method to implement this?
You can create a system plugin with event onAfterDispatch. Here you can check if user has access to the requested url (through joomla acl functions). If not then redirect the user to cb login page with additional query parameter return=base64_encode_url. It will set the hidden field named 'return' in login form and user will be redirected to that url after login.
I have added Facebook Connect to my application via the JavaScript SDK. I'm using Spring Security (this is a grails app) and I have added code that when someone clicks the FB Connection button to login, I manually authenticate them against their user account and everything gets wired up appropriately. I have 2 questions:
When a user first logs in with FB and I don't have an account for them, I create an account for them with their FB info, generate a random password, and use their email for their login name. If the user then uses the regular login form instead of the FB button to sign in, how do I sign them in to FB as well?
Every time the user clicks the FB Connect button, the popup window shows up. If they are already authenticated, it just goes away and then my web site redirects correctly. How do I keep the popup window from showing up in this case?
Thanks
To you first question, the user might be connect on Facebook when landing on your page after registration. So you can rely on the Javascript SDK to help you out.
See here: http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus
To your second question, I think you can't, except you might get a work around if you use the Javascript SDK mentioned for the first question!
This is how I did it for moviezine.se and it works just fine, but it might be a little irritating to be logged in without asking for it when you come back a few days later. Then there is the use case of the logout: if you are automatically logged in, are you automatically logged out too; and if not, what if your Facebook session is replaced by your girlfriend's one who is also a user on your site! :)