Using omniauth to facebook connect existing user with different permissions - facebook

I'm using devise/omniauth to do facebook authentication and works great. However, I would like to add a flow where an existing (non-facebook) user has ability to connect his account with facebook. This would require different facebook permissions. so i can't seem to find two things
how to use devise/omniauth to request facebook connect without logging out current user
request different extended permissions from user (different from those specified in the devise configuration file)
any ideas? thanks

Answer to 1 is pretty easy: just add a if path into the omniauth_callbacks_controller::process_callback method like this
# If a user is signed in then he is trying to link a new account
if user_signed_in?
if authentication.persisted? # This was a linking operation so send back the user to the account edit page
flash[:success] = I18n.t "controllers.omniauth_callbacks.process_callback.success.link_account",
:provider => registration_hash[:provider].capitalize,
:account => registration_hash[:email]
else
flash[:error] = I18n.t "controllers.omniauth_callbacks.process_callback.error.link_account",
:provider => registration_hash[:provider].capitalize,
:account => registration_hash[:email],
:errors =>authentication.errors
end
redirect_to edit_user_account_path(current_user)
This is what I do in my application and it works fine.
Regarding question 2 I do not know how to support 2 different facebook authentication configurations however I have hard time seeing how that is useful to users since they need a consistent experience across both path: "sign in using facebook" and "link your account to facebook".
(If you still want to pursue this path one idea I would explore is to create a new facebook application with its independent keys and configuration...)
Hope this help.

One simple way to implement multi-tier permissions is to use Facebook Javascript SDK(in addition to omniauth, if you want). You can simply specify different "scope" parameter, which specifies permissions required, at each call you want. What I'm doing is making omniauth provide a basic set of permissions, then, after the user has connected through omniauth(and thus stored their data in our DB), if further permissions are needed, we show them JS-based buttons which provide expanded sets of permissions. If you want to check what particular permissions a user has granted to you, you can simply use me/permissions API call.

Related

SSO for DNN websites

My requirement is this:
I have a DNN website www.websiteA.com.
I want to build www.websiteB.com and www.websiteC.com on the same DNN installation. www.websiteB.com and www.websiteC.com should allow users of www.websiteA.com to login with the same username and password.
When a user logs in to www.websiteA.com, and then navigates to www.websiteB.com or www.websiteC.com, they shouldn’t have to login again as they are already logged in to the main website.
I found modules that will let me share users between these websites, such that they can login to any of the three websites using the same credentials.
However, I cannot find a way to login a user to all websites simultaneously, so that the user does not have to login again.
I would prefer to do this without modifying the DNN source too much. Since all three websites are on the same DNN installation, I was hoping there would be a way to share authentication cookies, but I haven't found any yet.
Can anyone provide me more direction in this matter? Thanks!
I did this exact thing for two clients using the Site Groups feature but it required the caveat as in the above comments. You must use a child aliases for your other portals so that they are all on the same domain. That is key so that the user's session cookie can be used across portals.
So this is how I setup the portal aliases:
websiteA = portal 0, alias websiteA.com (Primary)
websiteB = portal 1, alias websiteA.com/b (Primary) and alias websiteB.com redirect alias
websiteC = portal 2, alias websiteA.com/c (Primary) and alias websiteC.com redirect alias
The Site Groups user interface to manage the groups is an Evoq feature, but the backend is a core platform structure.
Here is how you would configure it without the UI in DNN Community:
Create a record in PortalGroups table:
MasterPortalID = 0, PortalGroupName = 'WebsiteA Group', AuthenticationDomain = 'websiteA.com'
Now update the PortalGroupID field in the Portals table:
WHERE PortalID = 0, SET PortalGroupID = -1
WHERE PortalID = 1, SET PortalGroupID = 1 (assuming the new PortalGroupID you added was 1)
WHERE PortalID = 2, SET PortalGroupID = 1
Another thing you could do is write your own custom DNN Authentication Provider (http://www.dnnsoftware.com/community-blog/cid/134678/dotnetnuke-tips-and-tricks-12-creating-your-own-authentication-provider).
Then, just have the authentication provider check an authentication cookie on the user's system. If the cookie is valid (and not expired), you can automatically log them in. Otherwise, redirect them to the main login screen. I did this, but the other site was a Java based dashboard.

How to use new enhanced sessions in Parse with users created on cloud code?

I was trying out the new enhanced revocable sessions in Parse on my Android app. It works well when logging in or signing up via email password or facebook but doesn't work well for custom authentication, e.g. google+.
I'm currently logging in the user using the cloud code which also creates the new user when signing up. This does not create a new Session object, that means the new enhanced sessions are not used and it still uses the legacy sessions.
I pass the session token back to client where using the become method the user logs in but it's the legacy sessions.
This feels like the feature is not complete but I would really like to move to the new enhanced sessions with my app. Has anyone worked with them yet? Are there any workarounds using the REST API or by creating the sessions manually and handling them manually? I looked into the JS API but it says it's only read only.
Here's the Blog post on Enhanced Sessions.
Where should I go next?
Yes, I found a solution but it's a workaround, works for my case because I don't support signing up with user/password.
Basically, the solution (cloud code) in semi pseudo-code is:
Fetch the user with master key
Check if user.getSessionToken() has value
if it has, return the session token and do a user.become() in the client as usual
if it's not, here the workaround, do the following:
yourPreviousPromiseInOrderToChainThem.then(function(user)
password = new Buffer(24);
_.times(24, function(i) {
password.set(i, _.random(0, 255));
});
password = password.toString('base64')
user.setPassword(password);
return user.save();
}).then(function(user) {
return Parse.User.logIn(user.get('username'), password)
}).then(function(user) {
var sessionToken = user.getSessionToken();
// Return the session token to the client as you've been doing with legacy sessions
})
That means, I'm changing the user password each time in order to make a remote login and, of course, I know thist can't be applied to all cases, it's enough for app because I don't support login with user/password (only third party logins) but I understand that maybe it's not for all cases.
I got the idea from this official Parse example.
I don't like this solution because I think is not a workaround, it's a mega hack but I think there is no other way to do it currently (either Parse.com or Parse-Server)
If you find other workaround, please, share it :)

GitHub OAuth in lua

I am working on a library in LUA for an ipad app called Codea. I'm trying to figure out to use OAuth for GitHub Gists. Only part that i can not figure out is how to get an Auth token via code. I used curl in terminal to get myself a token but this seems to be to much work for other users.
I've read through the github api docs multiple times but I cant figure out how to get a Token programmatically. I've tried to duplicate the method I've used to GET and POST gists but it does not seem to work. I'm not sure how to pass the username and password.
I'm creating a table with the needed params then encoding it in json. Everything I try gets a 404 error or 500 error. Thank you all in advance.
local url = "https://api.github.com/authorizations"
local d = {}
d.scopes = {"gist"}
d.note = "AutoGist Codea"
projectAuth = json.encode(d)
opts = { data = projectAuth }
opts.method = "POST"
opts.headers = {Authorization = "basic " .."username:password"}
http.request(url,successCallback,failedCallback,opts)
Scopes are coming, but only in Q4 2013.
See "OAuth changes coming" (October 2013, by Tim Cleam - tclem):
Starting today, we are returning granted scopes as part of the access_token response.
For example, if you are making a POST with the application/json mime-type you’ll see an additional field for the granted scopes.
{
"access_token":"e72e16c7e42f292c6912e7710c838347ae178b4a",
"scope":"repo,gist",
"token_type":"bearer"
}
Right now, these scopes will be identical to what you requested, but we are moving towards a feature set that will allow GitHub users to edit their scopes, effectively granting your application less access than you originally requested.
You should be aware of this possibility and adjust your application behavior accordingly.
Some things to watch out for and keep in mind:
Most third party applications using GitHub OAuth to identify users have the best success in adoption by starting out with a request for the minimum access that the application can possibly get away with.
Something like no scopes or just user:email is very sane.
It is important to handle the error cases where a users chooses to grant you less access than you originally requested.
Now that we are surfacing the granted scopes on the access_token response, applications can warn or otherwise communicate with their users that they will see reduced functionality or be unable to perform some actions.
Applications can always send users back through the flow again to get additional permission, but don’t forget that users can always say no.

How to have users 'reconnect' with soundcloud on each page reload?

I'm using the Javascript SDK inside a node.js (Express) App.
Connecting Users works fine, but the connection does not persist between page reloads.
Is this the default behaviour, or is the User supposed to stay connected in new requests?
Do I have to use OAuth token authentication and if so, how can this be done with the JS-SDK?
Inside the "Permission"-Popup, Users are already logged in with soundlcoud, though.
(just have to click the "connect" button each time)
Figured I'd share my answer for those who are unsatisfied with the current answers for automated oauth:
Retrieving access_token:
I had to define get and set cookie functions and then I use the functions to set and retrieve a function holding the access token. I'm not going to give these functions for conciseness but you can easily find them with a google search. I then use this line of code to get the SC access token (once the user has authenticated for the first time)
SC.accessToken()
Setting token:
So this is kind of just an elephant in the room in my opinion that for some reason no one has mentioned. How in the **** do you connect w/ SC using the access token? Do you set it as oauth param? On each call pass it? Well, after experimenting with putting the parameter in every single place I could think, I found out you have to do something like this:
SC.initialize({
client_id: '[removed for security reasons]',
client_secret: '[removed for security reasons]',
redirect_uri: '[removed for security reasons]',
access_token: getCookie("sc_lm2"),
scope: 'non-expiring'
});
//Where "sc_lm2" is the name of my cookie
Hope the helps! Took me a while to figure this out for such a simple thing
EDIT
Using PHP and Wordpress:
$json = wp_remote_get("http://api.soundcloud.com/users/[user_id]/tracks.json?client_id=[client_id]");
$soundcloudData = json_decode($json['body'],true);
(substitue cURL functionality if you're not using Wordpress). #krafty I assume you would just change the endpoint from "/tracks" to "/users" but I can't say I have ever really needed to grab anything but tracks using the Soundcloud API. Hope this helps, though I'm not sure I fully understand what it is that you are trying to accomplish (or rather, how exactly you're going about it) - are you trying to allow user logins? If you want to explain fully what you're trying to accomplish and the steps you're taking I'd be happy to take a crack at it.
Yep, this is the way to do it, officially. :)
For the Next SoundCloud site, we store the token in localStorage (until the user logs out, of course). In each AJAX request to the API from the front end, we put the oauth token in a request header:
jqXHR.setRequestHeader('Authorization', 'OAuth ' + the_oauth_token);

Friends_interests/likes/etc return as blank from Facebook Graph API

I've been messing around with the graph API and have been able to access my own information just fine. However, when I attempt something like:
https://graph.facebook.com/999999/likes?access_token=xxx (where 999999 is a friend's ID)
I get a blank graph like so:
{
"data": [
]
}
Keep in mind I'm doing this all manually for the time being. This is the URL I used to request permission from my profile:
https://www.facebook.com/dialog/oauth?client_id=xxx&redirect_uri=http://www.google.com&scope=email,read_stream,offline_access,user_likes,friends_likes
It all works hunky-dory and I get my access code, yet I still receive the blank graph. Suggestions?
Thanks.
Have you tried multiple friends? Your friends can configure what information third party applications can have access to, of theirs. For example I could limit applications that you use to not see anything about me, if we were friends.
Also you could check in account --> privacy --> settings --> applications and see if your application in fact has the permissions you think you granted it as a user.
-Kevin
I agree with kevin. You need to request permissions first to get at the info and you also need to be prepared that you will get a blank list.
I suggest that you use an already built api as it will save you a lot of time. I've recently released one here that should get you going in no time at all.
The code looks like this:
Dim FB As New SessionInfo("[access_token]")
Dim Req = New Functions.Requests(FB)
Dim U = Req.GetUserInfo("[userid for friend]")
Response.Write(U.name)
Also you can get a list of friends by calling this
Dim FL = Req.GetFriends()
For Each F In FL
Response.Write(F.name)
Next
I have come to notice that even though an application can request (and be granted) certain permissions, e.g. to access Likes, it doesn't necessarily mean that an application will be able to access this information.
I'm not a 100% certain of this but there might be two instances where e.g. requesting a users Likes results in an empty data set even though the right permissions where requested and granted by the user:
The user has set custom permissions in his/her privacy settings
not make public the information (e.g. Likes). Basically, customized
permission settings overrule the granted permissions that an
application requested.
The user is under 18. https://www.facebook.com/help/?page=214189648617074