I'm working on integrating Facebook with my iPhone/iOS application and I want to know if I'm understanding the nature of the login procedure correctly.
With the old Facebook SDK ('Facebook iPhone SDK'), when we needed to request authentication permission from a user a UIWebView would be displayed with a login prompt. With the new SDK ('Facebook SDK for iOS'), the SDK uses Apple's fast-app-switching feature to temporarily place the app in background mode and then load the iOS Facebook app or Safari to authenticate. Is this basically the gist of it?
I've experimented with authenticating my app via the new SDK's technique and due to the nature of my app, it just can't support backgrounding. Does this mean I have to use the old SDK to launch a UIWebView-based authentication? I think this implementation is a lot cleaner anyway. Will I run into any major disadvantages from doing this?
Check out this question and my answer: Iphone facebook connect example calls safari. I don't want to use safari
You can make it use the UIWebView always. Facebook is trying to make it so the user only has to log in once per device (through either the Facebook app or in Safari) but I didn't like this flow (especially on the iPad). Though I'd rather not muck around with the Facebook code, I did find commenting out a few lines to be a quick way of getting the old behavior back.
I don't believe this is the case.
The Facebook SDK that I'm aware of, available at https://github.com/facebook/facebook-ios-sdk doesn't do anything like you describe. Is this the SDK you're using? I believe the last major update to this SDK from the "old" facebook SDK was to add support for OAuth-style authentication. With this change they broke code compatibility so apps were forced to make changes to incorporate the latest SDK.
When you call 'authorize' in this SDK you pass the app id, the desired permissions, and a callback delegate for notifications of errors or success (did login, did not login, did logout). You can also set any access token that you might have persisted from a previous session. Facebook validates this access token, and if it doesn't exist or is invalid it presents a modal login dialog. I believe the content of this dialog is a web page. The SDK authenticates the user using OAuth and makes the auth-token available for persisting between sessions.
At no time is the app exited to run the Facebook app or Safari. I'm curious - what led you to believe this was the case? (Or, perhaps there is some other SDK out there I'm unaware of?)
Take a look on this page: https://github.com/facebook/facebook-ios-sdk
And look at Single Sign-On. That describes the above scenario with fast switching.
Related
In my work we often need to build Facebook apps in the form of Facebook Canvas and Website. These apps are available on Facebook direclty (an iframe) and as mobile versions (outside Facebook, in the browser).
We are working with a code base which mixes Facebook JS SDK (authentication and authorization) with PHP SDK (API calls). I find it rather dirty, and not easy to understand for people freshly working on the projects.
It's inconvinient to make API calls with JS, and making them with PHP forces extending access tokens. Authenticating user with JS SDK involves client-side redirects which are ugly to be honest, as they usually occur moments after the current page starts rendering, and so on...
I googled a lot about separating these two SDKs but did not find a clear answer to my questions:
Is it possible to create Facebook app (Canvas, Website) which bases ONLY on PHP SDK? Check login status, login, permissions, making API calls, etc. Would signed request be enough?
Is JS SDK the only full-proof way to determine user's login status at any time?
This link seems to describe what I'm thinking of, however the docs are rather brief (which seems to be a problem of Facebook documentation in general). Can anyone suggest other sources that might help? Does anyone have experience with builing FB aplications based only on server-side?
Thanks.
EDIT:
The link I posted above covers the case of not using ANY SDK, so no, it's not what I'm looking for.
You can even create an App WITHOUT any SDK - with simple CURL calls, for example. So yeah, it is indeed possible to use the PHP SDK only, but the login process is much better with the JS SDK (no redirection needed) and you can´t auto-refresh a user session like it is possible with FB.getLoginStatus afaik.
In short, i would not recommend it, the JS SDK is the very best way to authorize users and refresh Access Tokens. I would only use the PHP SDK (or simple CURL calls) for stuff that MUST happen on the server, and for stuff that includes using the App Secret, for example.
I have a website which allows login via facebook functionality and displays photos from facebook.
While accessing from a mobile browser I would like the website to automatically login(when the click on FB login button, without entering username and password) if the user is already logged in via the native FB application (iOS or andriod). It seems to be that I can do that by building a native iOS or android application and use facebook single sign on feature. Is it possible to do that without having the user install anything on their mobile device?
That is not possible.
Auto-Login relies on auth tokens that will be granted to a website or mobile app after a user approves an app. For security reasons, those tokens are tight to the cause they were issued for. Particularly, web tokens and mobile tokens are not interchangeable.
So you could build a native mobile app to get a "native token", but even if you would manage to (cookie-)inject it into a browser view, your website's backend couldn't use it.
More generally, you're raising an issue even facebook can't solve: Say you are using a facebook mobile app and logged in there. If you open facebook's web version on that very same phone, you'll have to log in there again. The root cause is the same as with above. Specifically, any native app is uncapable of setting arbitrary auth cookies into the OS browser. I personally believe this restriction will not fall, because it would have a large security impact - just imagine how any app could set (and possibly get) cookies for any website.
If they've never logged in facebook from their Mobile, how will your website ever know them ?
Is it possible to do that without having the user install anything on their mobile device?
Like PC's, users in a mobile device need to login in their phone in facebook's website before being eligible to login "automatically" to your website. When I say automatically, I mean they still have to go with the first time process of "Do you authorize this app/website to do X things on your account". That message is inevitable when using facebook's api on the web.
Hope this answers your question.
Is it possible to do that without having the user install anything on
their mobile device?
No this would not be possible. You need to have a native or hybrid app (phonegapped etc) to make it work. Mobile web apps run in a browser sandbox and without native code interface - you cannot get to the native SSO of FB on your mobile device
Did you have a look at this facebook page ? I'm not sure what you ask is possible, as basav said, but maybe you'll have some clues there.
It's my first posting on here (although I've been using this site for reference for quite some time).
I've been trying for several days now to find or dream up a way to use Facebook's "Single Sign On" from within a mobile web app (not a native iOS or Android app) to automatically sign a user into a web app if they are already logged into Facebook from the native Facebook app on their mobile device for example.
My limited knowledge is telling me that it can't be done since the mobile browser and the 'system' (iOS for example) are too separated (I can't, I don't think, have my mobile web app use or access the native Facebook app on a mobile device in any way).
I have found and read the iOS, Android AND Mobile documentation provided by Facebook (https://developers.facebook.com/docs/guides/mobile/) which all seems to make enough sense, but after days of trawling through everything else I could find on the subject there doesn't seem to be a way to use, for example, the Facebook app on an iPhone or Android device to automatically log a user in to my web app if he/she is already logged into Facebook.
I've read lots about doing this from within 3rd party native apps and also other people trying to achieve a similar thing from within Desktop apps but I'm trying and hoping to be able to achieve this from a web app running within a mobile web browser.
I'd be very grateful for any help, opinions or pointers in the right direction since I think this would be an excellent step forward in UI for mobile web apps to have (not just the native apps).
Many thanks in advance...
Probably a bit late to the party but in case anyone else is wondering yes it's possible with Cordova/Phonegap and the Facebook Connect Plugin: https://github.com/davejohnson/phonegap-plugin-facebook-connect/
Using the FB.getLoginStatus() method at startup allows to check if the user is already signed in with the native Facebook App and retrieve its profile. More details in the examples provided in the repo.
I have not yet implemented it myself, but seems possible according to:
http://developers.facebook.com/docs/mobile/web/build/#login
I would like to develop an IOs app with facebook integrated.
However, after some research I found out that facebook connect seem to be outdated?
Even the facebook official page only talk about Single Sign On where user will be redirect away the app to login.
So my question is, do you think it's still safe to use Facebook Connect?
Since i still see a lot app using it.
Yes Facebook connect for iOS has been replaced with Facebook SDK for iOS and it is an open source library on Github that users their Graph API. I would not start a new project with the deprecated Facebook connect library because it will eventually be killed and they won't give you a lot of notice since the replacement has already been out for over a year.
I'm building an iPhone app that has some social features. I've managed to get the user to log-in to Facebook within my application.
I've also implemented a webview that loads a facebook iPhone-optimized page. What I now want to do is my user to be logged-in within the webview without having to log-in twice (once in the app and once in the webview)
I've tried a few things playing around with the access_token in the URL but it didn't work.
Does anyone know if it is possible to implement that and how to do it?
Thanks in advance for your help
Short answer: You're probably not supposed to be able to do that.
The idea is that your app should only store an authentication token that lets you do stuff as your app (e.g. post to the wall as your app). On the web version, the user is logged in to facebook and facebook additionally passes an authentication token to your website; on the iOS version, I think you never get the Facebook session cookie, and I'm pretty sure you need the Facebook session cookie to be logged in to the web side of things (especially since it's designed for the browser — logging out of Facebook logs you out of Facebook Connect on all sites).
There are loads of things you can do to work around this — it's trivial to just ask the user for a username/password (and the whole idea of a "trusted UI" inside a UIWebView inside your app is flawed, despite Facebook's claims).
The "right" thing to do is to implement everything using calls to the iOS SDK so you don't have to bother with the web side of things.
were you testing your app on the simulator or on the device? The reason i ask is because im trying to get the app to stayed logged into fb which it does, sorta...it still pops a fb dialog saying it logged in fine and the user has to click on an OK button.
I havent had time to test it on the device but i think it may have to do with the fact that with the OAuth 2.0, with 3.2.x or >...if the fb is installed, it uses the fb-app login but if its not installed it uses the safari web login.
Since simulator doesnt have the fb app installed, it actually uses the safari web login (i humbly deduced) which would otherwise store a cookie and maybe it doesnt do so on the simulator..dunno, im still looking for the answer on that one :)