My website has accounts that are often accessed by multiple users. For example, a company might create an account under a generic company email address, and have different interns, etc update it.
We also have normal users that are the only people accessing their account.
We know we could make registering / signing in so much easier and more effective by utilizing various third party services like Facebook, Twitter, OpenID, etc, but we can't think of how to handle those services when multiple people want to create / sign into a single account.
How do we know which users authenticated with FB/Twitter should be allowed to access the company account on our website?
Facebook doesn't let you sign in as a Page yet, right?
You can let the users log in with their normal company account, and then give them a facebook Connect button. The only important thing you need to keep for facebook connect is their facebook id. I would add a new table, or a new entry in the users table with all the ids that have connected to that account. There would be no difference between single user and multiple user accounts, only in the number of ids connected to that account.
I use a sql table with two values, user_id and remote_id, and every time a user connects you add an entry. The same can be done with other open ids and twitter, the same able can be used.
Technically, no you can not log in as a page. But, once you get an install from a user, you can easily tell which page they are administrators of. If you create your company organizational unit around the entity of a page (or allow users to do this) then you could allow your users to log in with their Facebook accounts and once you have their Facebook session, you can access the /me/accounts graph endpoint and look at the pages they're administrators of and cross reference that with your company->Facebook Page definitions.
You could allow Facebook Page Administrators to invite users who do not have access to their Facebook Page. Once the lesser-privileged (intern) user gets to their invite URL endpoint, they could click a Facebook connect button to link their FB account with the Company/Page that the Administrator invited them to. This way, the Administrator wouldn't have to add a bunch of users to their Facebook Page as Administrators (thereby keeping their page more secure).
Related
I'm developing a Web app that has a Facebook group associated with it. I want only authorized users of my app to be able to join this group, and I don't want them to have to be manually approved by a group admin.
My first thought was to use the game_group_join dialog from the JavaScript SDK, and display this dialog only to authorized users. But this seems to have a few problems; no way to keep track of which Facebook accounts are associated with which accounts in my app, doesn't work with JavaScript disabled, there seems to be no way to stop an unauthorized user from joining the group by making the underlying HTTP requests to Facebook themselves, etc. A server-side solution would seem to eliminate these problems, but I'm not sure if there is one for Facebook app groups.
Can anyone offer advice on how I should be handling this?
Tayman,
Your first thought is pretty much the way and yes there is a server side solution (with app id and app secret).
You'd have to record something when they do the join dialog or you check if the logged in user is a member of your app group and record it's app-scoped userid in it's website user record.
In summary:
use the app (php?) to create a closed group.
https://developers.facebook.com/docs/graph-api/reference/v2.3/app/groups#publish
Users can only join the group through the app, they cannot request to join just from inside fb.
Here is a test group I've been playing with:
https://www.facebook.com/groups/879916105406758/
you can do much with js, however the "add me to the group" has to be done with the javascript join dialog.
https://developers.facebook.com/docs/games/app-game-groups#join
Facebook only allows php 'joins' for test users, not for normal facebook users.
https://developers.facebook.com/docs/graph-api/reference/v2.3/group/members/
Once a user has authorised you, you can check which groups they belong to and record their app-scoped user id with your website user record.
Taymon, here is the solution I think would fit in your case:
-Have the user login to your app with public_profile permission. From here you can capture the user's app_scope_id
-Check if the user is allowed to join the group, display Javascript dialog 'game_group_join' and invite the user to join.
- You have to link existing users with their Facebook app_scope_id after they login/connect with Facebook.
I'm creating a website that people can send sms from my website, I want to implement facebook login to my website and any one who logs in to my website using his facebook account and doesn't have an account in my website i want to create one for him. as he should later enter his phone number and verify the number and without having an account in my website its not possible. now the problem is if I use his facebook username to create the account it might cause duplicate name (as someone else might have got that username).
I will of course combine the information of the existing accounts when someone uses facebook login which have already account in my website. this is not a problem.
what would you suggest?
thanks in advance.
Dont use the Facebook user name as the userName column of your users database. You can get many other unique information from a Facebook user, like e-mail or facebook ID. Use them to "connect" between the information from your database details and the info you receive from Facebook.
For example:
When signing up to your website, one of the fields you can ask is the facebook login e-mail. Thats how a user would have the option to login to your website by Facebook, without any connection between his facebook user name and your user name.
In your user details table, just add a facebookEmail column, then, after you implement the Facebook Login API and a user login, check to see if his e-mail (from facebook) is in your table.
now the problem is if I use his facebook username to create the account it might cause duplicate name (as someone else might have got that username).
Well, then either build in a check if the user name is still free and if not prompt the user to enter a different one; or
automatically chose a different user name, f.e. by using a counter – if the user name from Facebook is foobar and this is already taken, then check if foobar1 is available, etc.
If creating it automatically, maybe you want to give the user the possibility to change it afterwards.
I have a Facebook Application in order to manage comments on my web page, allowing for moderation, etc.
I also have a Facebook Page, for the same brand.
Is there anyway of having an Administrator list that is shared between these two objects? So that I can add and remove users from one and they would get/lose access to the other?
There's no way to do this automatically, but you can:
Have a trusted user (admin of the page and app) grant manage_pages permission to [your/an] app
Get the page access token for managing the page - see "Page Login" on this document
Retrieve a list of the other page admins from /PAGE_ID/admins
Use the App Access Token to add those users as developers/admins/etc of the App by posting to the Application's 'Roles' connection
Those users will receive (and must accept) a request to become an admin/developer/etc of the app
Caveat: the users you try to add to the app must be verified accounts (via SMS or credit card) or they can't be ad admin or developer of the app
I'm NOT sure about this, but I never saw such thing available. Probably you'll have to integrate an application to your page that works on this
A site I'm working for is having significant problems with fake users through facebook openID. Is there an API call which reports on the internal facebook calculations of the "humanness" of a user and/or indications that the account has been compromised?
If there were internal Facebook calculations of the "humanness" of a user, then there wouldn't fake users using openId to your client's website. Facebook would have already removed them.
You can check the verified field of the user Graph API object.
A user is considered verified if she takes any of the following
actions:
Registers for mobile
Confirms her account via SMS
Enters a valid credit card
You may want to play politics like some sites have done saying, you need X nbr of friends, have a profile pic, etc.
I'm developing a website where the user can either sign up creating his own profile or can sign in with FB or Twitter.
The thing is I don't really know how to manage it, for example: let's say my user signs up through the website and creates content, what happens if the user later decides to sign in with FB or Twitter? How can I keep it all unified?
I know I could just do the Twitter sign in, get the data from twitter and create a profile in my DB for the user with his Twitter handle, don't know how I'd deal with later if he wants to just log in through the site.
Anyone have any ideas?
So he later signs in with Twitter or Facebook. I think you have a couple of options in this case. Allow the ability to link accounts together once the user signs in with any one method. Say they sign in with your sites registration, let them hit a page where they can add in other linked accounts like Twitter and Facebook once they are in their logged in state on your site. See the friendfeed model for inspiration. Or, like we did with ucubd.com/index.aspx - let the user sign in with facebook and regsister an account on their behalf and ask for their email as the login credential. If it's found - great. If it's not ask for a password. This will allow the user to either login with your sites registration method or through facebook. You will have the information in your database to link both of them together.
Every account on your system will have an e-mail address. Every account with FB, Google, Twitter is also linked to an e-mail address. What you will need to do is link the accounts based on e-mail address. That way you will never get duplicate accounts.