I'm struggling with something that should be really easy I think. I have a authentication system on my page built with zend_auth.
It all works flawlessly, but now I wanted to give users the opportunity to log in with twitter.
I've been able to build the whole oauth authentication process, and after a successful twitter authentication I can get the twitter username from twitter.
After that, I do a lookup in my user table, and find the user with that twitter name (I have a column for it in my database).
Now I have the user_id of the logged in user, but how do I get zend_auth to know that that user is logged in? I have a role based rights system stored in the database, so the zend_auth_storage needs to know the ID of the logged in user.
You have to write the user row in the storage yourself .
Zend_Auth::getInstance()->getStorage()->write($userRow);
$userRow can be different in your case its basically the data which get stored in session once user gets logged in generally its a single row in users table (minus the password column for security reasons)
Related
I am trying to have a custom facebook login page in my react meteor app. For example, I have my custom input fields (username and password) and I am trying to pass username/password values to facebook and validate. I do not want to use meteor account-ui. I found Meteor.loginWithFacebook which only checks to see if user is ALREADY logged in. Can someone help me to understand how I can use my custom username/password fields to get facebook user data?
Answer: That is not doable (or at least, should not be done, even if some workaround or hack exists, which I am unaware of).
What you can do is create your own authentication system, and give the user the option of either filling in the user details themselves, or using facebook login to fetch it from facebook. That ways, you have your own authentication, and also user's facebook profile.
Explanation:
The whole point of having openid (facebook, twitter, gmail, etc authentication) is to make signing up for a website/app convenient and SECURE.
If you use your custom user name and password field, then you can even store them, and that can give you access to user's facebook account. Even if you were not to do that, someone can easily hack into your website and steal the data to get access to your user's facebook account (your application would be way easier to hack into compared to facebook).
Hence, the facebook login api is such that the very sensitive task of accepting user name, password (facebook would never trust anyone else to do that for it), and validation of user is done by facebook, and you are given a token which tells you the user is logged in, and his basic profile (if you ask for it), and you do not have to worry about security, and the user himself feels safe, because he knows he is typing his user name and password in facebook.com, and not in somexyz.com
How does my website know when users are logging in with their facebook account for the first time - so that if they arent registered with me i can then create the same.
I think to know the first time user logs in with facebook would have to be controlled on your side.
You'll want to build some sort of logic to store the user's FB info like FB UID and email perhaps, in your DB when they login through FB. Additionally, you'll want to do a lookup for the user's UID and email in your DB on each time the user logs in through FB.
You might also want to consider if the user ever decides to "disconnect" their account from FB / revoke access to your app through FB. In this case, you'll want to remove their UID and email from the DB since they've chosen to revoke access.
If they decide to come back, then treat them as a new user and repeat the steps above.
A majority of your code will be checking the response from FB.getLoginStatus https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
You can experiment with FB.Event.Subscribe and 'auth.authResponseChange'.
Check the documentation
I'm using the Facebook PHP API to allow logins into my website. I am also allowing people to login/register using a built in form in my software incase they don't want to use their Facebook account.
I have this all working fine, my only issue is how do I attach the Facebook account to their account in my MySQL Database?
So for example Joe Bloggs wants to create an account on my website. Rather than filling in a form, he decides to login via Facebook. He does so. After he logs in via Facebook, it returns him to a page on my website where he can fill in the rest of his account details. It then saves his account and he is free to sue the website.
My issue is after he logs in with Facebook, creates and saves his account in the MySQL Database, how do I link his Facebook account and his account in my database?
When you login with Facebook, it returns a STATE, CODE and I can also retrieve an ACCCESS TOKEN using the API. However every time I login, these codes change. I thought there might be one code returned that I can use to store in the MySQL Database so all I have to do is match one of the codes to the database.
But I can't seem to do this. Am I coming at this all wrong?
Hope I'm making sense.
My issue is after he logs in with Facebook, creates and saves his account in the MySQL Database, how do I link his Facebook account and his account in my database?
Just store facebook user id in your table.
When you login with Facebook, it returns a STATE, CODE and I can also retrieve an ACCCESS TOKEN using the API. However every time I login, these codes change. I thought there might be one code returned that I can use to store in the MySQL Database so all I have to do is match one of the codes to the database.
You don't need to persist them ever. Only facebook user id is the identifier you need to identify user
Store their FaceBook UserID as an optional field in your user table to link their unique FaceBook UserID to a user in your application.
https://developers.facebook.com/docs/reference/php/facebook-getUser/
PS: I understand the concept of OpenID authentication and Oauth authorization (i think). And i am using facebook as an example of Oauth
It has been a trend for Websites to asked you to "signup" by "login with facebook" but during the signup workflow (after receiving permission and member info from your facebook account) they still ask you to pick a username and password. Which creates a local user and "links" that user to said facebook account.
But now i noticed during the signup process for websites like buzzfeed and even stackoverflow, they seem to be doing full authentication with facebook. You grant the website permission to you facebook account, and you are now logged in (as sort of a facebook user)
update (corrected authorization to authentication):
Does this mean facebook connect now does "authentication"? and does this mean users are no longer stored locally?
In the case of stackoverflow, I think they create user account internally, however they create username on behalf of the user - like user1243534, if the user does not specify his own. This internal account is used to store all stackoverflow related information for the user, that does not exist in facebook (or other provider) - reputation, questions, answers, everything.
If in your case, your web application does not need to story ANY data related to the user, except session with some session temporary variables (that he is logged in with facebook, his facebook name, etc.), then you can omit local user storage and accounts. In that case your application will lose any data related to the user, when his current session expire.
However, if you want to store whatever data in regard to your users, e.g. how many times he logged in, what language he prefers, persistent settings, or anything that is not stored in the provider, you should create your local user account.
Your first question: Yes, facebook is authenticating each time the user wants to log in, if no other authentication process is provided.
Your second question: Depends if you'd like to store user data for more time than the session duration (user data that is not taken from provider).
I have a mysql membership database run by a Perl script. Account creation or login requires an email address and password. The Perl script then sets cookies (password cookie has encrypted value) which allow users to create, own and modify records. A members table contains user information. I've gone through the FacebookConnect information as well as the forum. Maybe I cannot see the forest for the trees, or maybe this is not possible. In order to use FacebookConnect for logins/account creation, I need to be able to send the user email and password to the the Perl script so that the proper cookies are set. If it were an http it would look like this:
http://domain.com/cgi-bin/perlscript.pl?_cgifunction=login&email=ddd#somedomain.com&password=somepassword.
Any hints or advice would be greatly appreciated.
What you are trying to do isn't really possible in the way that you're describing it.
Facebook Connect basically provides you with a single piece of information: whether your visitor is logged in to their Facebook account or not. If they are, you can get their Facebook ID, if not, you can show them a button (or whatever) and ask them to log into Facebook.
Generally a good approach when using Facebook Connect as an authentication method for your site is to have an internal id for the user's member account, and store a user's Facebook ID alongside that. When a user comes to your site, and they are already logged in to Facebook, you just use their Facebook ID to retrieve the local account. Otherwise you show them your login form to log in locally, and/or a Facebook login button.
The problem you're running into here is that you cannot get someone's email address from Facebook, as it is purposely hidden to protect privacy. If your membership scripts provide only the email/password log-in method, then what you need to do is modify these scripts to create the authentication cookie when given a properly authenticated Facebook ID.
Essentially you'll have two login functions... one for a Facebook login, and one for a regular login. Either function should properly created the local authentication cookie.