I am using Facebook c# SDK to authenticate user (successfully). But I want also to use FB.ui JS methods on client. Is there any way to "reuse" already received access_token from c# SDK in Facebook JS SDK? I don't want to call FB.Login because I've already authenticated user on server side.
Just put the access_token string to a hidden field and get the value through javascript and pass it to the JS API Methods.
FB.getLoginStatus(function(response) {
if (response.authResponse) {
fbUserId = response.authResponse.userID;
token = response.authResponse.accessToken;
} else {
fbUserId = 0;
}
});
you will get access token
Related
i'm facebook js sdk for users login,
at the server side i want to get the user data
i'm trying to use
Socialite::with('facebook')->user()
to make it work it need 2 query string code and status
in my JavaScript i'm using the following
var auth_status_change = function(response) {
console.log(response);
if(response.status == "connected")
{
window.location = "{{URL::to(App::getLocale()."/fb_login")}}?code="+??+"&state="+???;
}
}
FB.Event.subscribe('auth.statusChange', auth_status_change);
how to get the state and code values to create a valid callback URL for socialite
You're trying to combine 2 things that do the same thing, but one on the server side and one on the client side, that won't work.
Laravel Socialite uses your app token to redirect your user to Facebook, authorize your app to use Facebook on their behalf (token) and provides you with user data. With the token you can do API calls from Laravel.
The Facebook JS SDK does the same thing, but in the browser. It fetches a token which it uses to do API calls.
Check out https://laracasts.com/series/whats-new-in-laravel-5/episodes/9 on how Socialite works.
Unless you are using the JS SDK functionality, you can leave it out and just add a link to a socialite route which redirects it to Facebook. That call will provide you with the code and state required to fetch the user.
I have doubts about security of my process of authentication oauth with facebook..
I use login for web with javascript sdk with fb button:
I get an Access Token successfully and pass it to server(calling check_facebook_session.php) to make API call to Facebook Provider..
In the following code there is also the log in console of access token.
Everything works!!! on the server I use the php sdk to call the API REST with APPID, APPSECRET and ACCESS_TOKEN:
**
Now my question, have I a security problem?
Is a bad idea to pass the token to the server?
The token that is visible on the client can be used WITHOUT APP SECRET to get information about the user logged?
**
Note: Google+ Sign-In for server-side apps Implementing the one-time-code flow with step:
- Include the Google+ script on your page.
- Add the sign-in button to your page.
- Sign in the user.
- Send the authorization code to the server.
as explained in: https://developers.google.com/+/web/signin/server-side-flow
Unlike facebook google in the js client return a CODE, not an ACCES TOKEN and the server receive and use it to request ACCESS TOKEN.
Thanks..
Following is the javascript code for facebook:
window.fbAsyncInit = function() {
FB.init({
appId : FACEBOOK_APP_ID, // App ID
status : true, // check login status
cookie : false, // enable/disable cookies to allow the server to access the session
xfbml : true // parse XFBML
});
FB.Event.subscribe('auth.authResponseChange', function(response)
{
if (response.status === 'connected')
{
var accessToken = FB.getAuthResponse()['accessToken'];
console.log(accessToken);
$.ajax({
type: 'POST',
url: check_facebook_session.php,
contentType: 'application/x-www-form-urlencoded; charset=utf-8',
processData: false,
data: 'token=' + accessToken,
success: function(result)
{
if(result == 'SUCCESS'){window.location.href = fb_callback_url}
},
error: function(xhr)
{
alert('Request Status: ' + xhr.status + ' Status Text: ' + xhr.statusText + ' ' + xhr.responseText);
}
});
}
else if (response.status === 'not_authorized')
{
FB.login();
}
else
{
FB.login();
}
});
};
// Load the SDK asynchronously
.......
}(document));
I did some testing and came to the conclusions that I hope can be useful.
In Facebook SDK for JavaScript it automatically handles access token storage and tracking of login status, so apps using it do not need to create their own mechanisms for doing so, and can proceed to making API calls.
The system seems safe because I believe that the callback url of the call is the site that host the page and configured between those of the facebook application, so I can change the application id in the javascript code but the sdk response with error message and get the user's token pretending to be another application. This was already obvious to those who know the flow :-)
Passes the token to the server is definitely a bad idea because it can be snorted and used by simply calling https://graph.facebook.com/me?access_token=... to get user information, In the different flow of google the token is not passed but is passed the code necessary to obtain it.
The best solution to use advantage of client and server is it:
Used in conjunction with the Facebook SDK for JavaScript,
the PHP SDK can share user sessions seamlessly across the client and server.
If people are logged in with Facebook and have authorized your app,
the JavaScript SDK can pick up the user session and persist this in a cookie,
which the PHP SDK reads without any intervention on the developer's part.
To enable this functionality, ensure that when you embed and initialize the JS SDK,
you set both the status and the cookie parameters of the object passed to FB.init() to true.
Regards..
i think it is secure because the user's data is only returned with connected status after user authentication with facebook.
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
I have followed Facebook example on getting access token by using $fb->getJavaScriptHelper();
https://developers.facebook.com/docs/php/howto/example_access_token_from_javascript
$helper = $fb->getJavaScriptHelper();
$accessToken = $helper->getAccessToken();
echo $accessToken->getValue();
P.S. Add try{} catch() {} blocks, as in Facebook example for error handling.
in my site i Login using facebook js sdk, ( I tried the example in facebook page), but how can i tell the server that this user is authenticated ?.
I tried using ajax to post to the server .
but this seems unsecure !.
My question is the authentication process can be donr using only JS sdk ?
If the authentication process cannot be done using Js ,
what about facebook c# sdk or other unofficial facebook c# sdk.
FB.login(function(response) {
if (response.authResponse) {
console.log('Welcome! Fetching your information.... ');
FB.api('/me', function(response) {
console.log('Good to see you, ' + response.name + '.');
// POST TO SERVER AND TELL HIM THAT THE USER IS AUTHENTICATED NOW
});
} else {
console.log('User cancelled login or did not fully authorize.');
}
});
The JS SDK can set a cookie on login, that you can read out server-side. If you do another call to /me there, then you can be relatively sure everything’s OK.
Is there any fb tag i can use to wrap around my html anchor tag so that if the user isn't logged in, they will get prompted to login before getting access to the link?
I'm using python/django in backend.
Thanks,
David
You simply need an if statement to check whether a facebook session exist or not. If not redirect them to the login page.
-Roozbeh
First I think you must create a Facebook App.
Second: if you are programming in PHP, you should use the PHP SDK.
See: https://developers.facebook.com/docs/reference/php/
Third: Use getUser method:
https://developers.facebook.com/docs/reference/php/facebook-getUser/
I'm almost sure that getUser will return 0 if the user has not accepted your app, so IMO it's not the best method to find the user connection status on Facebook.
Also, getLoginStatusUrl could help, with this function you could make redirections based on the user status on Facebook, and think of a mechanism to show or not the contents based on parameters and session variables (it's an idea).
See: https://developers.facebook.com/docs/reference/php/facebook-getLoginStatusUrl/
Hope that helps.
Using the JavaScript API you'll want to use FB.getLoginStatus to wrap around the anchor tag. See https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
Example from that page:
FB.getLoginStatus(function(response) {
if (response.status === 'connected') {
// the user is logged in and connected to your
// app, and response.authResponse supplies
// the user's ID, a valid access token, a signed
// request, and the time the access token
// and signed request each expire
var uid = response.authResponse.userID;
var accessToken = response.authResponse.accessToken;
} else if (response.status === 'not_authorized') {
// the user is logged in to Facebook,
//but not connected to the app
} else {
// the user isn't even logged in to Facebook.
}
});
Note: I would simply make this call up front and set my own JS variable boolean on the response so I didn't have to use the FB API call again. Then wrap any dependent code with a simple JS boolean test.
I am trying to get the access_token of the logged in facebook user.
I get something like this.. url followed by the code i am retrieve the code..
it says in the guide to exchange it for access_token...
https://graph.facebook.com/oauth/access_token?
client_id=XXXXXXXXXXXXXX&
redirect_uri=http://www.my-site.com/&
client_secret=XXXXXXXXXXXXXXXXXXXXX&
code=2.hJFWoMlLf3tLOSos_qNCBg__.3600.1279836000-10000100XXXXXXX|kGwPB4y5K_-ijD9_1CfjSpT-oaY..
How i can exchange it for a access_token using what FB.api or jquery or javascript..
When i plug this url in the address bar.. i am able to see access_token..
I appreciate if somebody can tell me how to retrieve the access_token using javascript or jquery.
Thanks.
According to Facebook, and my personal experiences with the api, the FB.getSession() function is deprecated and should throw an exception if called.
From facebook:
The FB.getAuthResponse method is a replacement for the FB.getSession method which was deprecated after the migration to OAuth 2.0.
Instead you should use the getLoginStatus callback -
FB.getLoginStatus(function(response) {
var token = response.authResponse.accessToken;
});
//Example structure of response object
var eg =
{
status: 'connected',
authResponse: {
accessToken: '...',
expiresIn:'...',
signedRequest:'...',
userID:'...'
}
};
source: http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
If you are using the JavaScript SDK, then after logging in the user, getting the access token in your JavaScript code is as simple as:
FB.getSession().access_token
However, getSession may return null if a user is logged out, so the proper way is to first check for null before accessing the token.
var session = FB.getSession();
if(session != null) { // user is still logged in
console.log(session.access_token);
}