On a rich media banner, which obviously would appear on several different sites, is it possible to access a user's facebook information such as their photos?
The user would need to grant permission to the banner -- not sure if that's possible though.
There is some Facebook information that is publicly accessible to "anonymous" applications (i.e. unauthenticated/unauthorized). These include but are not limited to name and profile picture. It really depends on how public a user's profile is. However, I'm not sure you can get whatever the currently viewing user's info is. That's typically gotten by making an API request to /me which requires being authenticated.
However, if you're authenticated by the user, you can use whatever information they've granted you access to (specified by you during the OAuth process).
Related
I'm using Facebook as a social identity provider, in order to authenticate users of my system. I don't want anything else from Facebook, other than the identity of the user (e.g. the user's Facebook id).
I'm making a passive request to https://www.facebook.com/dialog/oauth?client_id={app-id}&redirect_uri={redirect-uri}&scope=public_profile - more details here: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow (see section: invoking the login dialog).
There are several scope options, listed here: https://developers.facebook.com/docs/facebook-login/permissions#reference-public_profile
My problem is that there doesn't seem to be a scope that limits the access to just the user's Facebook id. This means that when the user first federates, Facebook presents them with a worrying message about all the additional info my app will have access to (see screenshot below). This doesn't work for me, I just need the user's Facebook id - I don't want to ask the user for all this additional stuff. Is it possible to restrict the scope down to just the user's id?
If you ask an user to authenticate your app, the minimum that your app always asks for is the public_profile. You can't get any information fewer than that.
You can read more on the permission here: https://developers.facebook.com/docs/facebook-login/permissions
Update: It appears that when there's no API or token, software seems to simply ask the user for their account credentials, and probably has to store this information. I guess it can't be a huge security risk, since people are willing to share this information with apps like Mint:
So, my conclusion is that it is OK to ask users for credentials to other services if they can be secured safely and the user desires the service provided.
Many, many apps use others apps such as Facebook in order to get data from it, usually to verify the user is real and to get relevant profile data (e.g. a dating app would want age, gender, etc.).
When using such an app, I do not have to enter in my Facebook credentials. The app simply opens up my Facebook/asks for permission to access it, and voila it's done.
There seems to be a lot of documentation for well known companies like Facebook, Twitter, and PayPal on how to do this.
But how is it done for an arbitrary website that requires a user/profile, e.g. this website: http://ae.com/web/index.jsp
Unsurprisingly, if I google for FaceBook, there's a heap of resources, and even it's own dedicated tag (https://developers.facebook.com/docs/facebook-login/access-tokens).
However, if I start googling for American Eagle, e.g. "https://www.google.com/search?client=safari&rls=en&q=american+eagle+access+token&ie=UTF-8&oe=UTF-8", I get nothing relevant at all.
If I understand your question right, that you want to enable facebook login for your website,
you still need to create a facebook app. then use the access tokens in your website. so when user clicks on login with facebook, the app will be asking for permissions and finally you will get the access token and you can use that in your site to log in.
I've been trying to figure out a way to have my iframe Facebook app (built in PHP) work without requiring separate authentication methods. I am already logged into Facebook, but for some reason I still see all these Oauth notices from the example in the PHP SDK.
The only data I need is publicly available even without them "adding" my app. I am looking to collect their Facebook ID (since this is a contest, we need a unique ID for tracking), their name and (optionally) their email address as well.
The problem is, I cannot use the API to fetch the public information unless I already know their Facebook username. Any ideas on how I might be able to get their logged-in username or public handle so I can then fetch the rest of the information?
For whatever reason, Oauth is driving me completely insane with Facebook today.
Sidenote:
I did manage to technically get the Javascript SDK operational, which fed some information to PHP for use. The only issue there is that once I login, I don't see the data. If I refresh...then it shows up. Unsure why the refresh is required, as I wouldn't expect a user to actually have to hit refresh in order to proceed with the app.
I guess you are a bit confused here, Facebook will NOT share the username, id, full name or email without the user explicitly authorizing/allowing your application (and in the case of the email, requesting the email permission!).
Read the official Canvas Tutorial for more information:
In order to gain access to all the user information available to your
app by default (like the user's Facebook ID), the user must authorize
your app.
Is Facebook graph API enough secure to store and retrieve data? Apparently, it's quite easy to access information of some unknown person with appropriate query. I would like to know is there any security threat of making personal information public? If anyone has any idea please share.
All depends on the permission.Here is the link for facebook app permission.
Permissions
It works.
Thanks
user has to give you permissions first before you're allowed to access his private informations.
To store data -> what do you mean? It's not storage engine
To retreive data -> PHP sdk uses https protocol so yes, it's secured
The only information you can get from the graph is public info, or content which you have a valid access token for.
If you have stored a user's Facebook ID, you can still only access their information when you have a valid access token. That could either be obtained by having the user authenticate with Facebook, or by requesting the offline_access permission from the user. With offline_access, the life of the access token is dramatically extended, meaning that you can make API calls on the users behalf while they are offline, but you can still only perform actions that the user has granted permission for.
Whether you should make your personal information public on social networks and what security ramifications sharing your personal information has is a whole other discussion, and not really suited to this site.
As long as you have the permission from the user to access his profile, you can view all the information which USER WANTS you to see.
I'm using facebook connect to allow the visitors login to a website using their facebook account.
The only information needed is that the user id and name.
However the facebook connect dialog states that my app will access all the users friends, photos...
How can I configure my facebook application to not request those data?
The quick answer, you can't. The dialog states that you have the ability to access the user's information. Whether you access it or not is up to you, but the ability to is always there. There is a base level of access granted to all apps. You can prompt for extended permissions, but you can't customize the base level.
This may change going forward with OpenGraph. There are still features Facebook is adding, and some existing, undocumented features.