I'm using the outlook calendar rest api from Salesforce. To continuously leverage the calendar API I need to get authorisation code, access and refresh token.
I have been able to get the Authorisation code by hitting the API. How to get the access token using development code to use the outlook calendar rest API.
Please find the list of AAD authentication libraries here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-libraries
I found this tutorial in Python very helpful for getting access codes:
This tutorial uses Microsoft Graph (which covers several Microsoft products including Microsoft Outlook) rather than the outlook REST API (which covers just Outlook).
https://learn.microsoft.com/en-us/outlook/rest/python-tutorial
At first, I thought setting up a Django server was overkill. Then I realized that I wanted a way for my Python instance to capture the access code after going through single-sign-on. (I MUST use my browser for single-sign-on because my institution uses multi-factor authentation.) Having a Django server is a natural way to do this.
So I created a new PyCharm Django project (which is straight-forward in PyCharm) and began following the tutorial.
I found it essential to continue following the tutorial all the way through displaying my emails to avoid getting authentication errors -- deviate from the tutorial, and I got error messages (such as this one) that were unpenetrable.
I have a Facebook canvas app. I am using the JS SDK to authenticate the user on the browser-side and request various information via FB.api (e.g. name, friends, etc.).
I also want to persist some additional user information (not held on Facebook) to the database on my server by making an ajax call:
{ userFavouriteColour: "Red" }
To save this on the server and associate with the correct user, I need to know the Facebook uid and this presents a problem. How do I pass the uid from the client to the server.
Option 1: Add uid to the ajax request:
{ uid: "1234567890",
userFavouriteColour: "Red" }
This is obviously no good. It would be trivial for anyone to make an ajax request to my web service using someone else's Facebook Id and change their favourite colour.
Option 2: On the server, extract the uid from a cookie:
Is this even possible? I have read that Facebook sets a cookie containing the uid and access token but do I have access to this cookie on my domain? More importantly, can I securely extract the uid form the cookie or is this open to spoofing just like option 1.
Option 3: User server-side authentication on the server:
I could use the server-side authentication to validate the user identity on my server. But will this work if I am already using client-side authentication on the browser? Will I end up with two different access tokens? I would like to make FB.api requests from the browser so I need the access token on the client (not just on the server).
This must be a very common scenario so I think I'm missing something fundamental. I have read a lot of the Facebook documentation (various authentication flows, access tokens, signed_request, etc.) and many posts on SO, but I still don't understand how client-side authentication and server-side authentication play nicely together.
In short, I want to know the user's identity on the server but still make requests to the Facebook api from the client browser?
(I am using ASP.NET and the Facebook C# SDK on the server)
EDIT: Added bounty. I was hoping to get a more deifnitive, official recommendation on how to handle this situation, or even an example. As said, I have already read a lot of the official FB docs on authentication flows but I still can't find anything definitive on how client-side and server-side authentication work together.
Option 1:
The easiest way I can think of is to include the accessToken in JS and pass it with the ajax call.
Option 2:
Using the same as option 1, but instead of sending just the accessToken, send the signedRequest.
On the server side you can decode it using (TryParseSignedRequest method) which will give you the UserID :-)
Note: signedRequest is encrypted with the application Secret. you are the only one who should know it, so you are safe on that end.
Disclaimer:
I have no coding experience in C#, but a little search in google gave me this:
Facebook C# SDK for ASP.NET
Making AJAX Requests with the Facebook C# SDK
It's very simple actually.
When the user loads you app use the server side authentication, get the access token and load the user data by issuing an api request from the server.
On the server side you'll have everything you need and it's sandboxed.
When the page renders for the user, using the js sdk get the user authentication data, you should be able to use FB.getLoginStatus since the user already went through the server side authentication.
Now on the client side you also have an access token which you can use to get the user data from the graph api.
The two tokens will be different, and will also have different expiration, but that should not be a problem, both token should work properly as you'd expect them to.
Since both sides have their own token and a way to make requests to the api, there's no need to send any fb data between them.
So the 3rd option you mentioned, to me, sounds the best, and it's really simple to implement that too.
Edit
All facebook SDKs are just wrappers for http request since the entire fb api is made on http requests.
The SDKs just give you easy and shorter access to the data with out the need to build the url yourself (with all the different possible parameters), make the request and parse the response.
To be completely honest, I think that stop providing a way for the C# SDK to support server side authentication is a very bad decision.
What's the point in providing a SDK which does not implement the entire api?
The best answer to your question, from my experience, is to use both server and client side authentication, and since the C# SDK does not support it, my advice to you is to create your own SDK.
It's not complicated at all, I already implemented it for python and java (twice), and since you'll be developing it for your own needs it can be tailored for your exact needs, unlike a public SDK which should support all possible options.
2nd Edit
There's no need to create a completely new SDK, you can just "extend" the ones you're using and add the missing parts that you need, like sever side authentication support.
I don't know if it's language specific but using both server-side and client-side authentication does no harm.
You can work on option 2 but yes, that will be also vulnerable to spoofing.
Doing option 3, you will be having a single access token for that user session, so that would be the best choice according to me since you always have chance of spoofing when passing user information from client side.
I had exactly the same question recently. It's option 2. Check this post from the Facebook blog.
To be honest I am not enough of a hacker to know if you could spoof the UID in the cookie, but this seems to be the 'official' way to do it.
EDIT: to the other question under option 2, yes, I believe you have to access this cookie on your domain.
I am a php developer. I created an application using fbml(non iframe) and didn't check roadmap regularly.
Today I received an email saying update to OAuth 2.0 and HTTPS by October 1st or the apps may be disabled.
I went through the documentation but could not get what exactly I am supposed to do.
From what I understood.
for https
we need to enable or buy ssl for our site and make https://example.com/facebookapps_folder/ accessible and fill the new url in Secure Canvas URL
Is that right?
I am confused about OAuth 2.0.For this do we need to change the whole code and libraries we are referring to.
Where can I get how do I change it.
I see some php examples but could not find clue what needs to be changed?
I think it is way authentication is being done, but I do I do that.
If I fail to do it immediately(as only 3 days left) is that any way I can save my application being disabled?
Make sure you have implemented Oauth2.0 for authentication .. Also you will need an SSL certificate for your app to support https:// protocol
I'm trying to get a FacebookLoginTest running.
Problem is: the Symfony2 client does not send real HTTP requests, so it does not work on URLs of other services (like facebook).
I know I could work with cUrl,... but I see so many obstacles there: session, javascript, redirects.
Any ideas how we could get this running? Anyone got a automatic oAuth test running?
Your best bet might be Goutte https://github.com/fabpot/Goutte which is a wrapper around the Sf2 components you're using combined with an HTTP client. Good luck!
curl should work just fine for this, and while it doesn't support javascript, you won't need js support for what you're trying to accomplish.
I digged much into internet, but being newbie, couldn't do much.
I have summed up the following :
Facebook Chat can be used via two Authentication (via Facebook Chat API official documentation) :
1> X-FACEBOOK-PLATFORM
2> DIGEST-MD5
1> X-FACEBOOK-PLATFORM Method has very less documentation, none being official, closest using pyfacebook & pyxmpp (The official facebook chat api page has a reference at the end). Implementing the both to GAE is another headache, apart from the debug problems suffered hence. The creation of apps and using its ID as stated in some resources is not a problem though. I found a nice GAE walkthrough of pyfacebook on riccomini.name/Topics/Web/GoogleAppEngine/FacebookConnect/
2> DIGEST-MD5 is the common method of username - password which can be carries out by any xmpp client. So i though i could use a XMPP python client library like xmpppy which suited me best (as i don't need advanced functions)
Coming staraight to my question : is my inference correct? I am thinking to proceed via Method 2 (Im well aware of the security risks involved in MD5 crypting of password, please don't remind me of that). I could find no refence of using xmpppy with GAE, so am I proceeding correct?
Could anyone provide me a reference of xmpppy used along with GAE ??
(I'm sorry if i was unclear. Cant help, i am no silicon valley engineer but a simple student of age 15yrs)
You can't connect to external XMPP servers using App Engine, so if Facebook requires it for chat integration, this isn't possible.
GAE has a built in XMPP service. Perhaps you can use that instead of xmpppy.
http://code.google.com/appengine/docs/python/xmpp/overview.html
You should have a look into XEP-206 (XMPP Over BOSH) for connecting to XMPP through HTTP-protocol. http://xmpp.org/extensions/xep-0206.html
I don't know if FaceBook supports BOSH though.
You need c2s-protocol to talk to FaceBook, as the s2s-protocol (federation) is not implemented by FaceBook.