I am integrating Facebook authentication, registration and app requests with our web app, using a combination of the the Javascript SDK (to manage FB buttons, dialogs, client-side API, etc) and the PHP SDK to process signed requests, auto-login facebook-connected users and use the API to process app requests. I have most things working well and the overall workflow is acceptable.
My question is specifically regarding the "email" extended permission and whether I need it to guarantee that the signed request returned during by the registration plugin will contain the user's email.
I am aware of the current limitations of the registration plugin (in that you cannot ask for extended permissions), but I need the email of the Facebook user when they register. This is so that the user can login both with their FB credentials and standard email/password as per non-FB connected users. (Please don't just suggest that I change the registration process to allow users to register without email - this is a hard requirement for several good reasons that I won't go into here).
At the moment, I am attempting to to "shield" the Facebook registration with a login process to force the user to provide the "email" permission before registering. However this is clunky if placed as a pre-step to FB registration, and/or difficult to guarantee that the user will have passed through this step before reaching the FB registration form.
Does anyone know for certain whether the "email" extended permission is actually required to guarantee getting the user's email during the reigstraion? I cannot find any settings in Facebook (for my test users) that would seem to prevent apps getting the email. Does the fact that I have included the email field in the registration form guarantee that I will get it back in the signed request?
Please note that at the moment, we have no other requirements for extended permissions, and as we need them, we plan to ask the user at the point of need.
Any help/confirmation would be appreciated - I have searched, but cannot find the answer to this exact point (although I could of course have missed it!).
You shouldn't need your users to authorise the app before using the registration plugin, the registration plugin exists specifically to avoid apps having to build in their own system for having users authorise an app before their data can be used to prefill a form.
If you use the registration plugin with fb_only specified, and request the email field, you'll receive the user's email address in the signed request callback when they register.
If you allow users to register using the plugin, but without requiring them to use their Facebook data, the email field could contain whatever email address they've entered manually.
The full documentation is at https://developers.facebook.com/docs/plugins/registration/
Related
I am trying to have a custom facebook login page in my react meteor app. For example, I have my custom input fields (username and password) and I am trying to pass username/password values to facebook and validate. I do not want to use meteor account-ui. I found Meteor.loginWithFacebook which only checks to see if user is ALREADY logged in. Can someone help me to understand how I can use my custom username/password fields to get facebook user data?
Answer: That is not doable (or at least, should not be done, even if some workaround or hack exists, which I am unaware of).
What you can do is create your own authentication system, and give the user the option of either filling in the user details themselves, or using facebook login to fetch it from facebook. That ways, you have your own authentication, and also user's facebook profile.
Explanation:
The whole point of having openid (facebook, twitter, gmail, etc authentication) is to make signing up for a website/app convenient and SECURE.
If you use your custom user name and password field, then you can even store them, and that can give you access to user's facebook account. Even if you were not to do that, someone can easily hack into your website and steal the data to get access to your user's facebook account (your application would be way easier to hack into compared to facebook).
Hence, the facebook login api is such that the very sensitive task of accepting user name, password (facebook would never trust anyone else to do that for it), and validation of user is done by facebook, and you are given a token which tells you the user is logged in, and his basic profile (if you ask for it), and you do not have to worry about security, and the user himself feels safe, because he knows he is typing his user name and password in facebook.com, and not in somexyz.com
I am working on a requirement where I need to collate information from a persons social media profile into the application mainly LinkedIn, Facebook, Google and Twitter.
The app has the email ID provided by the user. Assumption is of course that the person uses the same email ID across all the services.
My initial gut feel is that I need to ask the my user to login into my app using their Facebook / Google / Twitter ID and once he is authenticated, the corresponding API can then give their information. However, I am not sure if this approach would be feasible for multiple providers i.e. I need info both from Facebook AND Google+ for example
Alternatively, is it possible to use the API's of any of these Social Media applications to map the email ID I have to a user in those applications and then to get the user's public information?
Also, is anyone aware of any 3rd party products / API's which can help provide this kind of identification? I have heard of Rapleap (www.rapleaf.com) but the profile data provided by them does not seem to have social media related information that I am interested in.
Note : I have never worked on anything related to social media in the past and hence if there is some faux pas in what I am trying to do, please feel free to point out the same.
I'll start by assuming that when you say "email ID" you actually mean "email address" which in turn is the user id for those social media networks
is it possible to use the API's of any of these Social Media applications to map the email ID I have to a user in those applications and then to get the user's public information?
Yes and No. In order to request profile information from of these social media networks (let's called them just "providers") your app will need to request it on behalf of the actual user. That is, the user will need to authenticate itself with these providers through your app. For this to happen, the user will need to provide a minimum amount of information (email and password) and your app will need to authenticate as well...usually through OAuth or a native API by specifying an already issued "App ID" (or Client ID) and an App Secret. This is information you should receive by these providers once you have successfully registered your app with them.
is anyone aware of any 3rd party products / API's which can help provide this kind of identification?
I'm not too sure and this is out of the scope of Stackoverflow...but, do you really need to add another abstraction layer in your project? Another dependency? Consider interacting directly with these providers, you have more benefits
So, basically, your app will have to get the user to supply his/her credentials in order to request this information. In the case of OAuth, your app will never see these credentials because the authentication process happens outside your app, all your app will receive is an access token to request the information that is available within the scope of the access token. By that I mean, you have to request specific permissions. There's a lot of information available on the developer's site of these providers and I'm sure you'll get around it without any problems, but feel free to ask if something is not clear enough.
There's a way to get user information from sites like facebook,google,linkedin,yahoo etc by using their OAuth service. For this you need to develop your application to include OAUth Service from any of these sites and allow the user to log into any of these services and choose what all data they would be interested to share for using your application.
Again, you will have to configure your facebook/etc application to include options for the users to select while logging in.
It really depends on the social media account. Some sites allow you to search by email, but this assumes that the email address you have is the same address the person used for the account. Others do not. What I would do is identify the sites which allow you to search by email, and go to those sites and search. That is the most straightforward way.
I have a web app that has its own user registration, with a handful of users. The only mandatory fields are email, password and username, which must be unique. In the long run, I will still want to have our own registration system.
I would like to integrate Facebook, but I'm trying to figure out if I should integrate Facebook Registration or Facebook Login. I have these questions:
I've already started integrating Facebook Login and it works well. With this, not only can I enable Facebook users to login, but I can get all the information I need to register the user, if he is signing in for the first time via Facebook and has not registered via our site yet. I do not prompt the user for a password, to simplify the registration, however this means that if the user tries to sign in directly into our site, I tell the user that he must sign in via Facebook Login. Therefore, I question the need for Facebook Registration, which seems to be more complicated to integrate than Facebook Login. Can anyone tell me why I should integrate Facebook Registration instead?
The drawback I see with integrating Facebook Login or Facebook Registration into our existing user registration, is the username. I currently copy the user's Facebook username into our database. However, there is the possibility that the user's Facebook username is missing or is a duplicate of an username from one of our existing users, in which case I will have to prompt the user to change it. Then what happens if in the future, the user changes his username on Facebook? Should I change the user's username on our site when he logs in next via Facebook? What is best practices here? Am I correct to assume that if I don't bother changing the user's username on our site, it won't be an issue?
Then there is the possibility that the user's Facebook username is not valid by our requirements. Currently, we require the username to be alphanumeric and underscores only, using this reg expression: /^[\w]*$/ However, Facebook allows periods, but not consecutive special characters and possibly other criteria that I did not detect. This means that I should use the same validity check as Facebook uses. Does anyone know Facebook's reg expression for their usernames?
I am able to show the Facebook user's profile photo with an IMG tag and src= http://graph.facebook.com/facebook.id/picture. Does anyone know how to save the photo onto our server? We use Javascript and PHP.
Thanks for your help!
Hey I'll try to address your points 1 by 1
Facebook Login is merely a means to sign a user in to your site by them connecting via Facebook, as you state, they don't have a password as Facebook handles the auth. However you could redirect them to a specific page after using facebook login and get them to enter a password to use their account without being connected to facebook. The facebook registration plugin is more a tool to get users to register on your registration system (although it does support being your only registration system). It provides convenience by pre-populating a number of fields you might commonly ask for such as name etc. if a user is already logged in to Facebook. You can customise though to ask for additional info. It also means you can supply 1 registration form for your users whether or not they use facebook.
The facebook username should not be missing. Their 'name' field should be the users first and last name which I believe they have to supply. I don't think it can be empty. What I would actually suggest doing, is what I mentioned in point 1. Allow users to connect via facebook, but then prompt them to enter a username either as part of the login flow or after. You can then check this for uniqueness against your current database. To begin with you could assign them a username that is first_last_timestamp or something similar. This would more likely encourage them to change their username to something they want. If you used the registration plugin, you could easily enter your own "username" field into this. Then it doesn't matter if the user changes their name on facebook as they would still have a unique username to your site.
Facebook's usernames should just be a users first and last name (though obviously people do enter random things). The 'name' field is an combination of these so there will most likely be a space between them. You could always replace any invalid characters using your own regex, replace whitespace with underscores etc.
I'm not sure if there are any platform policies that would restrict you from saving the users picture to your own server/DB. What I would ask though is why you would want to? In my experience this is more likely to change then their name is. As such groups of friends using your site are probably more likely to recognise the profile pic that their friends use on facebook.
I would finally say, that the best bit about connecting their Facebook account either way means you can provide a smooth login experience so that a user doesn't have to sign in everytime. My own personal experience is that facebook login (with your own integration code on the success page) is better than the registration plugin. There are fewer steps for a user to connect to your app this way and they don't have to fill out a form. The success callback also means you can still perform the custom username code/flow I mentioned above and then prompt them to change their username if they desire. Just remember it is best to ask for as little info as possible at sign-up as users are more likely to join this way.
Hope this helps!
I'm trying to implement facebook connect to my website, and i have couple questions.
1: Is it possible to register user in my website using his current facebook email/password.
Let's say user clicks on link Register via facebook and then he have to give me permisions to access his password, email, etc... and after that is done i put that info in my own database and he will be able to login with that account any time he wants without needing to give me permisions any time in the future.
2: If that kind of registration is not possible, what's other solution would be the best for me? Because i need to somehow keep track of that user who logged in with facebook, because he can upload photos, send messages etc.
Anyways, i'm quite new with facebook and similar things, so i'm really lost here, hope some one can help me :)
EDIT Thank you all for wonderful answers it helped me a lot, now all that's left is to read documentation :)
Yes it is, it is possible to get the information of the user. But it is rather complicated, when you have never dealt with it.
First you need to send the user to the following link:
https://m.facebook.com/dialog/oauth?client_id=your-client-id&redirect_uri=xxx&scope=listof-information-you-want
Facebook will then return your client to the uri specified, if the user rejected it will give a reason. If it is not you will get an code in urlencoded format.
This code is needed for the following step, the request of the access token:
https://graph.facebook.com/oauth/access_token?redirect_uri=xxx&client_id=xxx&client_secret=xxx&code=xxxx
This will give back an access token, if the authorization didn't fail.
After that you can ask for the information you want:
https://graph.facebook.com/me?method=GET&metadata=true&format=json&access_token=access_token
This will include a facebook uid, which is unique for all users. Store it and you can discern between a register and login.
This is roughly the process for any oauth2 application.
Facebook will not ask repeatedly for permissions after the user granted them to you. So you can store the access token and reuse it for backend stuff and also use the same procedure you use for register for login.
You can never access the user's password from Facebook even with his/her permission, so the user will always have to authenticate via Facebook and have Facebook pass you the user id of the logged in user once authentication succeeds. You can store all kinds of other data locally, but not enough to authenticate the user yourself.
Once the user is authenticated, you'll have access to the user's Facebook user id via the API, which should be enough to connect all kinds of information to that specific user.
Facebook does not provide access to accounts when passwords are taken from your controls. It provides it own canvas for login information. Therefore you cannot use your first approach to store passwords in your databases. Check this out.
You can however store email addresses once user logins into his account using the facebook sdks. Check this out link for the example of C# SDK sample code.
You can use the Facebook APIs to fetch user email-id, photos, friendslist and other information and then play around accordingly.
You don't get access to the users password - only email if you ask for it.
Best way would be to have a table of users and their Facebook account id's.
If you want to allow users to sign up without Facebook then have a nullable field for their password and facebook id, and also have a field for username - which you could populate from Facebook if they register via that route.
I've been trying to figure out a way to have my iframe Facebook app (built in PHP) work without requiring separate authentication methods. I am already logged into Facebook, but for some reason I still see all these Oauth notices from the example in the PHP SDK.
The only data I need is publicly available even without them "adding" my app. I am looking to collect their Facebook ID (since this is a contest, we need a unique ID for tracking), their name and (optionally) their email address as well.
The problem is, I cannot use the API to fetch the public information unless I already know their Facebook username. Any ideas on how I might be able to get their logged-in username or public handle so I can then fetch the rest of the information?
For whatever reason, Oauth is driving me completely insane with Facebook today.
Sidenote:
I did manage to technically get the Javascript SDK operational, which fed some information to PHP for use. The only issue there is that once I login, I don't see the data. If I refresh...then it shows up. Unsure why the refresh is required, as I wouldn't expect a user to actually have to hit refresh in order to proceed with the app.
I guess you are a bit confused here, Facebook will NOT share the username, id, full name or email without the user explicitly authorizing/allowing your application (and in the case of the email, requesting the email permission!).
Read the official Canvas Tutorial for more information:
In order to gain access to all the user information available to your
app by default (like the user's Facebook ID), the user must authorize
your app.