If an mobile user have authorized the app for facebook via Single Sign On, is there a way the permissions can be used on the server side for offline access?
Scenario:
user uses the mobile app
user authenticates via SSO
app needs to use the user's permission on the server to check for certain updates
app pings the user via notifications if updates received
Can this be done?
You need to authorize at the app and obtain the Facebook token. Then you can send this token to your server and use it there without problems. You should ask for the offline_access permission if you want this token not to expire in a few hours.
Related
I need to setup communication between my iOS/Android app and my PHP backend. I want to use facebook account only for logging in, there is no further communication with facebook. I have User accounts in my system and facebook_id is only a parameter to identify user.
Is it ok to verify the user by checking the token on the graph api from my backend just at the beginning and then only use my own tokens for communication or do I need to recheck if the user is still logged in on facebook from time to time (which is actually irrelewant for me as there are no fb interactions).
What else is there to consider?
Do I need a separate token for my server? Or do I use my App Secret
You should be able to use your application token.
The only scenario it might not work in is if the user deletes your app and decides to login again. From what I've read the app scoped IDs may change in this scenario.
I am building a Facebook application whose purpose is to gather statistics about Facebook users by querying their profile pages every so often. There is a sign up process where a user consents to the application and is redirected to Facebook to authorize the app. After the app has received the user's permission, it stores the access token with the user's Facebook ID number.
Every so often I want to be able to run a script that loops through all the access tokens in my database and queries the corresponding user's profile page. I am using Facebook's PHP SDK for development and therefore receive long-lived access tokens.
However, I am running into the issue of the 60 day expiration of the access token. I don't know how I can renew these access tokens, since the user does not initiate API calls; my own script does and therefore it has no information about the user being logged in or not when trying to run an API call. Is there any way to renew these access tokens behind the scenes without any information about the user whom I'm trying to query?
I'm trying to create a server side access to a user's Facebook resources (photos/albums/etc).
I want that the user will authenticate once using its native mobile application, and that the server will be able to access user's data without the user interaction.
I'm trying to understand the steps I need to take in order to make it work.
I've read Facebook's: Login for Server-side Apps but I can't understand how to use the scenario proposed in there - because my server has nothing to do with user interaction (I cannot redirect the user to some login dialog) - the server is performing its own operation in the background whether the user is using its mobile application or not. What should I do upon token expiration for example?
More then that, I want that the user will be able to perform direct Facebook operation on the mobile itself, without the server intervention.
As I see it, this is the flow I would expect:
User's launches a native mobile application.
The user authenticates using Facebook's SDK on the native mobile app.
The user received a special token, that can be converted at server side to an access-token.
The token will be sent to the server and stored there.
If the server needs to access user's Facebook data, it uses this special token and converts it to an access token.
When the token expires - the server can extend it, using the special token, without any user interaction.
What data should be sent to the server from the mobile application after authentication. And how should the server use this data to access user's Facebook resources anytime?
I'm using the C# Facebook SDK for the server. But I think it is not that important, I need to understand the mechanics.
Tokens expire if the user does not continue to use the application. This is by design--an application should not continue to access the user's account if the user stops using the application.
When a user logs into your application, a token is given to your application, along with an expiration date for that token. You can use that token from your client or your server until it expires. However, there is nothing your server can do to extend the token if the user does not continue to use your application.
If the user continues to use your application, you will have an opportunity to update your server token. For example, in the Android and iOS SDKs, tokens are automatically refreshed if the user uses your application to make a facebook request. At that time, you can transmit the refreshed token to your server.
Assuming it is possible to transfer the Facebook API access token from some web app to my mobile app (via physical storage or network), will my mobile app be able to use that token as a regularly acquired token (as if the mobile app itself requested the token from Facebook)?
Is this procedure allowed in the Facebook API's terms of service?
Will the mobile app be able to cache that transferred token and use it as its own?
Basically, what I want is for the user to do Facebook Login and authenticate on one machine, and use the acquired token on a different one (e.g mobile app).
Is there a better way of doing this?
You can set your mobile app to go through facebook's oauth steps onload and if the user has already authenticated the app, he will get logged in right away, since you'll get an access token at this point of time, save that in the mobile app.
Automatic login triggers are now being used on both stackoverflow and quora. (if you sign up here through facebook, when you visit the site, you'll get signed in again - same for quora).
Also, access tokens grant access to a particular 'facebook app'. If your mobile app uses the same app id, then you can certainly reuse the same access token on the mobile device.
yep, we can reuse it. I got an access token from mobile app then it's applicable on web browser.
The instructions on using Single Sign-On (SSO) with the Facebook IOS SDK are to save the access token and expiration date in fbDidLogin and use them on subsequent calls to avoid unnecessary logins.
But what if the user logs out of Facebook outside the app (e.g. in the Facebook app or in Safari)? The app doesn't know about this, so it tries to use the saved token and expiration date, and to my surprise - they are still valid and the app can access the user's data even though the user has logged out.
Any way around this?
no, there is no way to do this. each FB login a user makes is specific to the client they logged in with. A FB login is not universal across all clients. The FB token you get from the SDK is a token for that user with your app. So if a user logs out of FB in their browser or another app, they have not logged of FB from your app so the token will remain valid until it expires or the app or user explicitly logs out from the context of your app.
Not sure why you are concerned about this. Generally you would want your users to remain logged in. If you have a reason you don't want this don't request "offline_access" permission when you authorize a FB user and you can also logout and de-authorize the user via the FB API based on whatever criteria you deem appropriate.