I would like to allow visitors to my website to log in using Facebook as opposed to requiring them to register - which is accomplished easily enough with the information here:
https://developers.facebook.com/docs/guides/web/
However, I would also like to keep the option of registration open. In other words, when a user first visits, he has the option of either registering with me, OR simply logging in using facebook. A profile on my site is then created for them, and everything is wonderful.
My thoughts are, for facebookers, to use their facebook username. However, this might cause issues when someone whose facebook username is "foo" visits for the first time and logs in using facebook, if somebody else has already registered with the username "foo".
Has anybody else run into this issue? What's the best way to mitigate it? Should I just use facebook registration instead?
I randomly generate a username (UUID, actually) when they login using alternate auth (Facebook, Twitter or OpenID). You can then allow them to choose a username at a later point from a profile page.
If you want, you can flag auto-generated usernames, so they won't display, which would be confusing.
I also use the same process, but reversed, to allow logged in users to match up an external account when already logged in.
Related
I am trying to have a custom facebook login page in my react meteor app. For example, I have my custom input fields (username and password) and I am trying to pass username/password values to facebook and validate. I do not want to use meteor account-ui. I found Meteor.loginWithFacebook which only checks to see if user is ALREADY logged in. Can someone help me to understand how I can use my custom username/password fields to get facebook user data?
Answer: That is not doable (or at least, should not be done, even if some workaround or hack exists, which I am unaware of).
What you can do is create your own authentication system, and give the user the option of either filling in the user details themselves, or using facebook login to fetch it from facebook. That ways, you have your own authentication, and also user's facebook profile.
Explanation:
The whole point of having openid (facebook, twitter, gmail, etc authentication) is to make signing up for a website/app convenient and SECURE.
If you use your custom user name and password field, then you can even store them, and that can give you access to user's facebook account. Even if you were not to do that, someone can easily hack into your website and steal the data to get access to your user's facebook account (your application would be way easier to hack into compared to facebook).
Hence, the facebook login api is such that the very sensitive task of accepting user name, password (facebook would never trust anyone else to do that for it), and validation of user is done by facebook, and you are given a token which tells you the user is logged in, and his basic profile (if you ask for it), and you do not have to worry about security, and the user himself feels safe, because he knows he is typing his user name and password in facebook.com, and not in somexyz.com
I have a web app that has its own user registration, with a handful of users. The only mandatory fields are email, password and username, which must be unique. In the long run, I will still want to have our own registration system.
I would like to integrate Facebook, but I'm trying to figure out if I should integrate Facebook Registration or Facebook Login. I have these questions:
I've already started integrating Facebook Login and it works well. With this, not only can I enable Facebook users to login, but I can get all the information I need to register the user, if he is signing in for the first time via Facebook and has not registered via our site yet. I do not prompt the user for a password, to simplify the registration, however this means that if the user tries to sign in directly into our site, I tell the user that he must sign in via Facebook Login. Therefore, I question the need for Facebook Registration, which seems to be more complicated to integrate than Facebook Login. Can anyone tell me why I should integrate Facebook Registration instead?
The drawback I see with integrating Facebook Login or Facebook Registration into our existing user registration, is the username. I currently copy the user's Facebook username into our database. However, there is the possibility that the user's Facebook username is missing or is a duplicate of an username from one of our existing users, in which case I will have to prompt the user to change it. Then what happens if in the future, the user changes his username on Facebook? Should I change the user's username on our site when he logs in next via Facebook? What is best practices here? Am I correct to assume that if I don't bother changing the user's username on our site, it won't be an issue?
Then there is the possibility that the user's Facebook username is not valid by our requirements. Currently, we require the username to be alphanumeric and underscores only, using this reg expression: /^[\w]*$/ However, Facebook allows periods, but not consecutive special characters and possibly other criteria that I did not detect. This means that I should use the same validity check as Facebook uses. Does anyone know Facebook's reg expression for their usernames?
I am able to show the Facebook user's profile photo with an IMG tag and src= http://graph.facebook.com/facebook.id/picture. Does anyone know how to save the photo onto our server? We use Javascript and PHP.
Thanks for your help!
Hey I'll try to address your points 1 by 1
Facebook Login is merely a means to sign a user in to your site by them connecting via Facebook, as you state, they don't have a password as Facebook handles the auth. However you could redirect them to a specific page after using facebook login and get them to enter a password to use their account without being connected to facebook. The facebook registration plugin is more a tool to get users to register on your registration system (although it does support being your only registration system). It provides convenience by pre-populating a number of fields you might commonly ask for such as name etc. if a user is already logged in to Facebook. You can customise though to ask for additional info. It also means you can supply 1 registration form for your users whether or not they use facebook.
The facebook username should not be missing. Their 'name' field should be the users first and last name which I believe they have to supply. I don't think it can be empty. What I would actually suggest doing, is what I mentioned in point 1. Allow users to connect via facebook, but then prompt them to enter a username either as part of the login flow or after. You can then check this for uniqueness against your current database. To begin with you could assign them a username that is first_last_timestamp or something similar. This would more likely encourage them to change their username to something they want. If you used the registration plugin, you could easily enter your own "username" field into this. Then it doesn't matter if the user changes their name on facebook as they would still have a unique username to your site.
Facebook's usernames should just be a users first and last name (though obviously people do enter random things). The 'name' field is an combination of these so there will most likely be a space between them. You could always replace any invalid characters using your own regex, replace whitespace with underscores etc.
I'm not sure if there are any platform policies that would restrict you from saving the users picture to your own server/DB. What I would ask though is why you would want to? In my experience this is more likely to change then their name is. As such groups of friends using your site are probably more likely to recognise the profile pic that their friends use on facebook.
I would finally say, that the best bit about connecting their Facebook account either way means you can provide a smooth login experience so that a user doesn't have to sign in everytime. My own personal experience is that facebook login (with your own integration code on the success page) is better than the registration plugin. There are fewer steps for a user to connect to your app this way and they don't have to fill out a form. The success callback also means you can still perform the custom username code/flow I mentioned above and then prompt them to change their username if they desire. Just remember it is best to ask for as little info as possible at sign-up as users are more likely to join this way.
Hope this helps!
Is there anyway to get the Facebook ID of a user without forcing them to authenticate? I'm trying to create an app page where the user can only add an answer to a poll once, so I need to be able to identify viewers by some kind of unique identifier.
My preference would be to not force them to log in. I think it's bad UX to add 2 extra steps just so I can make sure a facebook user on a facebook page is unique. I don't need any permissions to their profile/etc.
BTW, I've seen similar questions though nothing current or close enough for me.
No possibility if you don't make your user log in, for security reasons, the user has to be aware you are collecting information about him, it's also why there is a login.
With the PHP SDK, to get the id after login:
$userId = $facebook->getUser();
I've been trying to figure out a way to have my iframe Facebook app (built in PHP) work without requiring separate authentication methods. I am already logged into Facebook, but for some reason I still see all these Oauth notices from the example in the PHP SDK.
The only data I need is publicly available even without them "adding" my app. I am looking to collect their Facebook ID (since this is a contest, we need a unique ID for tracking), their name and (optionally) their email address as well.
The problem is, I cannot use the API to fetch the public information unless I already know their Facebook username. Any ideas on how I might be able to get their logged-in username or public handle so I can then fetch the rest of the information?
For whatever reason, Oauth is driving me completely insane with Facebook today.
Sidenote:
I did manage to technically get the Javascript SDK operational, which fed some information to PHP for use. The only issue there is that once I login, I don't see the data. If I refresh...then it shows up. Unsure why the refresh is required, as I wouldn't expect a user to actually have to hit refresh in order to proceed with the app.
I guess you are a bit confused here, Facebook will NOT share the username, id, full name or email without the user explicitly authorizing/allowing your application (and in the case of the email, requesting the email permission!).
Read the official Canvas Tutorial for more information:
In order to gain access to all the user information available to your
app by default (like the user's Facebook ID), the user must authorize
your app.
I have a mysql membership database run by a Perl script. Account creation or login requires an email address and password. The Perl script then sets cookies (password cookie has encrypted value) which allow users to create, own and modify records. A members table contains user information. I've gone through the FacebookConnect information as well as the forum. Maybe I cannot see the forest for the trees, or maybe this is not possible. In order to use FacebookConnect for logins/account creation, I need to be able to send the user email and password to the the Perl script so that the proper cookies are set. If it were an http it would look like this:
http://domain.com/cgi-bin/perlscript.pl?_cgifunction=login&email=ddd#somedomain.com&password=somepassword.
Any hints or advice would be greatly appreciated.
What you are trying to do isn't really possible in the way that you're describing it.
Facebook Connect basically provides you with a single piece of information: whether your visitor is logged in to their Facebook account or not. If they are, you can get their Facebook ID, if not, you can show them a button (or whatever) and ask them to log into Facebook.
Generally a good approach when using Facebook Connect as an authentication method for your site is to have an internal id for the user's member account, and store a user's Facebook ID alongside that. When a user comes to your site, and they are already logged in to Facebook, you just use their Facebook ID to retrieve the local account. Otherwise you show them your login form to log in locally, and/or a Facebook login button.
The problem you're running into here is that you cannot get someone's email address from Facebook, as it is purposely hidden to protect privacy. If your membership scripts provide only the email/password log-in method, then what you need to do is modify these scripts to create the authentication cookie when given a properly authenticated Facebook ID.
Essentially you'll have two login functions... one for a Facebook login, and one for a regular login. Either function should properly created the local authentication cookie.