I'm develpping a site and I put the facebook connect using PHP SDK 3.
The problem is that the page where facebook returns the results after the user authenticates and grants permission. for me after a user clicks "allow", it authenticates and then returns back to the same page (index) with a query string.
What I want is that if the user clicks "don't allow", he will be redirected to a certain page like login-fail.php, and if he grants permission he is redirected to login-success.php where his data will be processed and stored in the database.
any ideas?
You cannot specify a redirect URL in case of error. The best you can do is to set a redirect URL that will be the same for success or error :
$args['redirect_uri'] = "http://www.yoursite.com/after-dialog.php"
$url = $facebook->getLoginUrl($args);
If the user clicks "Don't allow", he will be redirected to the page after-dialog.php with the following GET parameters :
error = access_denied
error_reason = user_denied
error_description = The+user+denied+your+request.
If you really want to redirect him according the success of his login, you can track it at the top of the after-dialog.php file by :
if (isset($_GET['error'])) {
header('Location: http://www.yoursite.com/login-failed.php");
} else {
header('Location: http://www.yoursite.com/login-success.php");
}
Hope that helps !
EDIT: As you pointed out (in the comments of this answer) the comments in the code of the SDK say :
redirect_uri: the url to go to after a successful login
But the reference of the API says :
If the user presses Don't Allow, your app is not authorized. The OAuth Dialog will redirect (via HTTP 302) the user's browser to the URL you passed in the redirect_uri parameter.
and :
If the user presses Allow, your app is authorized. The OAuth Dialog will redirect (via HTTP 302) the user's browser to the URL you passed in the redirect_uri parameter.
I also ran some tests and the user is always redirect to redirect_uri, even if he clicks "Don't allow". It must be a typo in the code comments.
In my case I solved this problem with a checking of the parameter "error_reason", when an user click in Don't Allow, the url carry this parameter. You can see it in this page:
http://aplicacionesfacebookparadummies.blogspot.com/2011/09/obtener-datos-usuario-mediante-login.html
Related
I have a web page which asks the user to log in and then proceeds to get JSon via Graph for a particular Facebook group. It builds the Uri dynamically by taking the access_token that is returned after login. It works fine when I do this, but if I try to log in with a different account, no data for the feed is returned.
One hint in this problem is when the facebook dialog screen appears, it only asks for my username/password. It doesn't ask go to the usual screen where Facebook asks for you to give permissions for "Basic Information" etc. It's just a username/password screen and then I go straight in.
This is the login code:
function login()
{
FB.login(function (response)
{
if (response.authResponse)
{
// connected
var authResponse = response.authResponse;
access_token = authResponse.accessToken;
refresh();
} else
{
// cancelled
}
});
}
One hint in this problem is when the facebook dialog screen appears,
it only asks for my username/password. It doesn't ask go to the usual
screen where Facebook asks for you to give permissions for "Basic
Information" etc. It's just a username/password screen and then I go
straight in.
This is because you've already authorized the app, so once you login it will take you straight to the app.
It works fine when I do this, but if I try to log in with a different
account, no data for the feed is returned.
Well the limited view of code you posted is fine, so something else is the problem. First debug step is to get the access token for that different account, and check the debugger to see if its tied to the appropriate user and scope.
I am implementing a facebook integration to a website. If user denies facebook permissions, how can I redirect them back to my website?
As #abraham has already mentioned that user denial also redirects to your redirect_uri, all you have to do is check if the user has denied permissions.
The following is how facebook redirects to your url, i.e. the redirect_uri , when the user has denied permissions.
http://
YOUR_URL?error_reason=user_denied&
error=access_denied&error_description=The+user+denied+your+request.
So in your code you can check if the error and/or error_reason and/or error_description fields are set in the url, and then do whatever specific actions you want to do when user denies.
Some code to help you out:
if(isset($_REQUEST['error'])){//ok some error has occurred from Facebook
if(isset($_REQUEST['error_reason']) && $_REQUEST['error_reason']=='user_denied'){// ok so the error has occurred coz the user denied permissions!
// a lot of apps render a static page explaining why it needs the permission it has asked for, you can do the same here!
// more code
}
}
// rest of you code ...
Hope this helps.
Technically, if the user is still on your site you can do that but if on facebook's site, then they can automatically provide redirect instruction in their codes. implementing this should give you a basic idea on how to get the user back to your site.
$siteurl = 'http://www.mysiteexample.com';
if ( isset( $_REQUEST['redirect_to'] ) ) {
$redirect_to = $_REQUEST['redirect_to'];
} else {
//
$redirect_to = 'siteurl' .'/'.$_SERVER["REQUEST_URI"];
}
According to Facebook's authentication page. If they user denies access they will get redirected to your redirect_uri with an error. You can check if the error is there and redirect to the homepage.
If the user presses Don't Allow, your app is not authorized. The OAuth Dialog will redirect (via HTTP 302) the user's browser to the URL you passed in the redirect_uri parameter with the following error information:
https://developers.facebook.com/docs/authentication/
I posted this on the Facebook Dev forum and heard crickets...hopefully stackoverflow is a better bet.
This question is regarding the request permissions dialog being spawned from within a Facebook Application Tab specifically (not a canvas application).
If a user clicks "Allow", or "Don't Allow" the user is redirected to the same URL as specified in the redirect_uri parameter.
If the case of a canvas application I can use the error information that is passed in the URL to distinguish between the user who has accepted or declined the permissions request.
However, if the redirect URI specifies an Page TAB Application (and not a canvas app) I cannot pass this information into the iframe -- the only thing that gets passed through is the app_data parameter through the signed request parameter. (I can set the app_data parameter with the redirect_uri but since this is the same if a user accepts or rejects the permissions dialog, its of no help)
If anyone could let me know if its possible for a Tab Application to "know" if a user clicks "Don't Allow" within a request permissions dialog (or has any other suggestion) I would be very grateful!
Thanks very much
I don't think you can do what you require within a Facebook tab using a login url. Have you considered using the JavaScript SDK instead?
FB.login(
function(response) {
if (response.session) {
if (response.perms) {
// user is logged in and granted permissions
} else {
// user is logged in, but did not grant any permissions
}
} else {
// user is not logged in
}
}, {perms:'list,of,permissions'} // if required eg {perms:'publish_stream, email'}
);
In my canvas page, I try to authenticate the user the way it is described in http://developers.facebook.com/docs/guides/canvas/, by using essentially this code (example code from developers.facebook.com):
<?php
$app_id = "YOUR_APP_ID";
$canvas_page = "YOUR_CANVAS_PAGE_URL";
$auth_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($canvas_page);
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
if (empty($data["user_id"])) {
echo("<script> top.location.href='" . $auth_url . "'</script>");
} else {
echo ("Welcome User: " . $data["user_id"]);
}
?>
The problem is, the first time the user authorizes my canvas application, Facebook doesn't pass a signed_request parameter when redirecting back (as described in the example code), but a code parameter. When accessing the application the second time (already having confirmed the rights), it passes a signed_request parameter as expected.
Why does it pass a code parameter the first time? The documentation doesn't explain when Facebook passes a code / signed_request parameter.
The problem was that for $canvas_page, I used the canvas URL (e.g. mysite.com/canvas) instead of the canvas page URL (e.g. apps.facebook.com/myapp).
I think you need to append "&response_type=token" to your authentication url:
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&response_type=token
Then you get back something that looks like:
http://apps.facebook.com/APP_NAME/#access_token=YOUR_APP_ID%YADA_YADA_YADA0&expires_in=3948
And you can extract it with some Javascript:
if (window.location.hash.length == 1)
{
var accessToken = window.location.hash.substring(1);
}
Facebook uses the code parameter to authenticate your application. In the documentation, it states:
*If the user presses Allow, your app is authorized. The OAuth Dialog will redirect (via HTTP 302) the user's browser to the URL you passed in the redirect_uri parameter with an authorization code*
To complete the authorization, you must now take the code parameter and your app secret and pass it to the Graph API token endpoint (paraphrasing the documentation). This will grant you access to the access token. From this point onward, your application will not require the code parameter for this user because they are already authenticated.
Facebook uses the signed_request to share information with your application. The documentation states three scenarios in which it will pass the signed request. These are:
A signed_request is passed to Apps on Facebook.com when they are loaded into the Facebook environment
A signed_request is passed to any app that has registered an Deauthorized Callback in the Developer App whenever a given user removes the app using the App Dashboard
A signed_request is passed to apps that use the Registration Plugin whenever a user successfully registers with their app
So to conclude, the code parameter is only sent to authenticate the application, while the signed_request is utilized to pass information once the application has been authorized.
Saj-and is very correct.
I too struggeled with this alot.
When setting the redirect_uri to my domain name, I got an infinate redirect loop.
When setting the redirect_uri to the facebook app url, I got an error saying the url is not on my domain and so cannot be accessed.
It took the "/" at the end to solve this
I had the same problem with my canvas app, I fixed it by simply redirecting to my application's canvas url in the case that there is a code GET request parameter. After that Facebook sends me POST request that contains the signed_request parameter as expected. Here is the Python Django snippet:
if 'code' in request.GET.keys():
return HttpResponseRedirect(FACEBOOK_CANVAS_URL)
# ...rest of your canvas handling code here
I struggled with this issue (not getting oauth ID in the signed_request and instead get the "code" after user approves the app) for over a week, and this post (and few others posts) helped me get very close to resolving the issue (I was using my apps canvas URL instead of the canvas page url in the redirect URI, and I didn't specify the namespace in the settings).
After making these corrections, I faced a different issue where the app approval page won't show up for a new user and instead facebook throws the message" application has an error etc.. and finally I figured I was missing a / at the end of the canvas page url in my redirect url.. I had it as https://apps.facebook.com/myappname instead of https://apps.facebook.com/myappname/ in the redirect uri. Adding the / at the end resolved the issue and when a new user access my app using https://apps.facebook.com/myappname (if the user is already logged in ) facebook shows the approval page (upon receiving the response from my server) and once the user approves the app, facebook sends the signed-request with the required auth code to my application. Hope this will be useful for anyone else who might encounter the same issue.
Just to clear the confusion about the code parameter.. Facebook will always send this parameter when user allows the application.. however the signed_request parameter is sent using post or some other method.. it is not sent in the url.. You can access it using $_REQUEST['signed_request']
I had a similar problem that was solved when I assigned a namespace to my app, so it would look like apps.facebook.com/myapp and not apps.facebook.com/1234.
I was experiencing the problem you describe with firefox and with third-party cookies disabled.
I enabled third-party cookies and then the signed_request was suddenly available.
When I authenticate the user, after authentication it does not redirect the next parameter. Instead it redirect the user to the "Canvas Callback URL". If I dont give the convas callback url. then it gives the error
An error occurred with experiement. Please try again later.
API Error Code: 100
API Error Description: Invalid parameter
Error Message: next is not owned by the application.
on the other hand if the user cannot allow my app then it redirect the next parameter.
My url for authentication is:
https://login.facebook.com/login.php?api_key=**KEY**&v=1.0&popup=1&next=**NEXT**&
next_cancel=**NEXT_CANCEL**&skipcookie=1
I try to this on localhost.
in any one have idea about this?
Try using this url instead to get permissions:
$facebook->redirect('https://graph.facebook.com/oauth/authorize?
client_id=[YOUR APP ID]&
redirect_uri=[YOUR APP URL]&
scope=publish_stream, offline_access');
Replace [YOUR APP ID] with application id that you can see from application settings where you created the site in Facebook Developers section. Also replace the [YOUR APP URL] with your app url.
And $facebook variables is the one you get by initiating the facebook client that is:
$facebook = new Facebook($appapikey, $appsecret);
Yes it always redirects to canvas url instead of app url. You just need to create your own server side redirect that would redirect user back to app url.
You can separate regular app calls from the one after authorization that requires manual redirect by looking at request parameters. After authorization you would get some unique params like auth_token that are not present in a regular request. If those params are present - it means that it is authorization redirect and you need to send user back to app url.