I want to implement a facebook like login on my app. The idea is I have a web service and a web page that has the login forms.
Now, I would like to have my web page pop-up when a person clicks on login button from my iphone app. If the authentication is successful I would to close the iPhone popup window. There is also a possibility wherein after a successful login there will be a token that will be returned and I should be able to get this token from my iPhone app.
How can I implement this?
You'll want to use a standard UIWebView to load a login form on your website (UIWebView class reference). You'll probably want to set a delegate and wait for either webViewDidStartLoad or webViewDidFinishLoad - at these points you'll be able to check the status of the request.
What I would try is for the webservice to render the same form back on failure, and on success render a minimal "loading..." form with some hidden attributes that you will be able to pull out of the UIWebView directly in your app (say, a token, or other login information for making future requests). That way the user can auth as many times unsuccessfully, but you will only continue into the application when they successfully authenticate and have some identifier.
If you don't want to hide the token in the actual HTML your web service returns, it's also possible to create an identifier on the device itself and include that in your form when the user is POSTing to your web service. On a successful auth, you may need to make a second request to get some sort of unique token for any other requests you intend on making, but this is getting a little more complicated.
The best bet is probably to try the simplest thing that will work, then ask a security expert how to improve your interaction/protocol.
Related
Id like to somehow be able to authenticate programatically using javascript, without filling a login form every time, because its unwanted behaviour in requirements for my app...
When I use Deezer javascript api I usually do:
DZ.login(); //to login, which pops up a login form
//then somewhere else calling
DZ.getLoginStatus(function(){callback});
//and in callback function I call the api or something
What I would like to do might be something like this:
once call DZ.login()
once fill in login form and approve rights for my app
once get access_token(never expiring, with offline access permission) from response
Still good...
and then:
somehow use that token from javascript everytime I need to access that account to do some action..
No matter whether Im logged in or not I want to be able to access that account with that offline access_tokenand
f.e. load my playlist to the player.. I want to do that action everytime without prompting login form, even after power failure or even if some earthquake comes and logs me out...
I want to use javascript because of that player......
Is there any possible workaround?
If not, why is it not possible?
No matter whether Im logged in or not I want to be able to access that account with that offline access_token and
What you want to do can be set up in your app settings as explained here: http://developers.deezer.com/api/permissions
We are integrating an application as a facebook app at work. I want to be able to detect whether the user has logged in to facebook, and if not, to prompt for authentication.
So far we have successfully used the facebook SDK and the login functionality it provided. However, this causes an authentication popup window to be created by our application, and it is being blocked by most of the browsers, so our priority task is to re-implement the authentication logic not to use popups.
According to the this tutorial from the facebook documentation it could be done either by using event subscription for user status change requests (which did not work when the user is logged out) or by obtaining access token. The problem is that the token is returned as request parameter to the top window (the url I specify as a return url after the user authenticates). Since some cross-domain and browser restrictions exist, I am unable to use client scripting to obtain the value, and I am stuck.
Related questions here have been asked and the common issue is that most apps are being ran on localhost. However, the case with our app is that we have deployed our app to local webserver, that is exposed by a public domain, but still has the cross-domain restriction issues. It is being referenced by its public domain name within the facebook app configuration. I am completely confident in that the domains are fully accessible from outside.
In general, our case is that we would like to host the app while it is being used by facebook users. Perhaps this approach might be incompatible with our requirement? Is it possible to configure cross-domain communication to avoid the issue? Are any other ways to do avoid facebook login popups?
First of all, default settings for popup blockers in modern browsers are so that they only block popups that are called without user interaction. If you call FB.login automatically on page load, it is likely to get blocked. But if you offer a link/button to the user saying “log in here” and only call FB.login on click on that link/button, then the popup is rather likely to be shown and not blocked.
If you are not willing to do it that way – then your other option is to use the server-side auth flow. You can just redirect the user to the auth dialog, which will happen in the same window, and he will be directed back to your app afterwards.
Situation: I am developing a facebook canvas app. Facebook is sending my sever a POST request with the signed_request each time that a page is render. Inside my app I have all my links with target="_top" because if I don't, facebook send my server a common GET without the signed request. So I cann't check the user info.
Problem: It is too slow! even if I am testing it in local, each click that I press takes 1 sec to render and my canvas becomes completely white and then the info is shown, It will be a bad user experience.
My tests: If I remove the target=_top and I point all my links' href to my server without the app.facebook.com/whatever, it loads very quickly.
My doubts: Is there any security issue with this? If I point all the links to my server (no apps.facebook.com) I can not check the signed request, I will only check it in the main page..
Any advice? any tutorial? Do I have any misundestanding of this? (It is my first facebook app)
Have you read the Server-Side Authentication tutorial?
You're doing it wrong.
Once the users lands in your app you should keep all links in the same frame, loading the entire window along with facebook is completely redundant.
What you should do:
When you get the POST with the signed request, decode it and check if the user is authenticated, if he is persist the data (token and such) somewhere (session, db, cache).
If he is not authenticated send him to the auth dialog as noted in the tutorial, when he gets back exchange the code you get (in GET) for the token (also shown in the tutorial), then redirect him to http(s)://apps.facebook.com/YOUR_APP and you'll be posted with the authenticated signed request, save it, etc..
Since you persist the data, in every request that is not POST or don't include the signed_request check your persistency choice for the data, and use it.
There should be only two times where facebook sends you the request, once it is POST when your canvas is loaded, the 2nd is when the user returns from the authentication dialog, in which you either get the code parameter or error in case the user declined the authentication.
Other requests should be from your app (inside the iframe) into the app servers.
JDL,
I believe you are querying the graph API at each request (and that's why you always need the signed_request). Is this right?
The graph API is pretty slow (~ 1 second/query) and you should use only when necessary. For example, when you first receive the access_token you should save it in your session and query the graph API to retrieve the respective facebook user info. But then you should put the info you need about this user in your session and only refresh it (using the graph API) when the signed_request access token is different from the one you have saved in your session.
The behavior of adding _top to the target of your links is ok and a good practice within facebook canvas.
I'm getting into the grimy guts of a problem that has turned out to be rather cumbersome so I turn to you, the experts, for help.
what I've done so far: I am building an iphone app with phonegap. I am using the provided fbconnect (in phonegap github) code which gives some rather convenient javascript based example code to build things like a comment and check in request. I have comments and checkins fully working how I want, and I have an auth_token that I am successfully toting around.
enter the like button: I understand that you cannot make like requests via xmlhttprequest in the same way that you can with comments for example, so I am stuck using an iframe (unless there is a better alternative).
what I need help with: right now, since the iframe is triggering its own login, I have the situation where the user might log in to like, and then have to log in again to comment which is not a viable. Is there a way to pass a valid auth token to the iframe so the user wont be prompted to log in again or some other sneaky way to authorize through the childbrowser solution that I have currently implemented and then share the auth token to the rest of the app?
notes: I havent passed an app ID to my auth implementation but I noticed that the iframe does pass an app ID. would including an app ID in my auth request somehow link the logins so facebook could recognize that the user is already logged in through the app?
I can't think of any specific code to include since this is more of a general question but if there is anything you'd like to have a look at please let me know.
The short answer is no, mainly for security and spam prevention. The only way to have the user like your page is rendering the iframe code in a webview. This requires a traditional email/password login with Facebook. Using the graph api is the only way to use things like commenting and checkins, and this requires a user to login via a separate mechanism and then subsequently approve your app. There is no back door logging in mechanism.
I have been working on creating an RSS reader app for the iphone which allows me to view RSS from an external feed. However the project im working on I need to be able to view an Authenticated RSS feed which is behind a login. Im struggling to write the code to do this.
I need the app to ask the user to enter:
The url they wish to login to (stored and remembered in the app)
Their username used to login to access the RSS (stored and remembered in the app)
Their password used to login to access the RSS (stored and remembered in the app)
Option to remember password for next time
Option to auto login if the above option is accepted
If anyone is able to tell me how i can do this or point me in the right direction would really appreciate it!
Thanks
Tom
It depends how the login in implemented on the server hosting the RSS feed.
If it is basic http authentication, then you can use NSURLConnection and its delegate methods to provide credentials when the http request is made. Or you can supply the credentials as parameters on the URL (not secure).
If the login is some kind of script that takes input from a form and does some back end processing then you'll need to approach it differently, perhaps using a UIWebView to present the user with the login form. Then you'd need some method of obtaining the session key (or whatever is used to maintain the session) and use it in subsequent requests to get the RSS data.