I am working on a site that uses Facebook Connect for user login/creation. I have a development server which is used for QA, and I'd like it to be password protected. We wanted to use HTTP basic authentication, but that seems to break Facebook Connect (it falls in a loop). Does anybody know why that may be happening?
I believe that basic authentication is done on a browser basis, and all the communication between Facebook and our site is done in the browser of the user. What could be the problem?
Facebook Connect uses iFrame inside iFrame hack to overcome cross domain boundaries limitation (see http://wiki.developers.facebook.com/index.php/Cross_Domain_Communication for details). My guess is that when Facebook redirects to the callback page (xd_receiver.htm) it fails because later requires basic authentication.
More information needed on the "falls in a loop". But based on your question, from what I've read is that facebook connect will create a random password on account creation, and if they are logging in over basic auth, it will need to be changed to match up(http://www.boonex.com/unity/forums/topic/facebook-connect-error-.htm)
But you don't specify if that's the way you are using FBconnect.
Are you requiring basic auth to get to the point of FBconnect account link/create?
Or are you using FBconnect to create the login for the basic auth?
How are you requiring basic auth? Server type?
Does everything work without requiring basic auth?
Related
I know that this question have been asked before, but my scenario is a bit different. I'm trying to implement login with facebook feature into my website, which has SSL, but when I attempt to login I get an error message:
Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://
Ideas?
This solution was tested on a django application using Facebook OAuth
NOTE
my site already had SSL and is accessible via https
But when trying to login using Facebook OAuth i get the above error (Insecure Login Blocked)
My Solution
all i had to do was to set ( this configuration is done within application setting :: settings.py )
ACCOUNT_DEFAULT_HTTP_PROTOCOL = 'https'
helpful link
which literally means
use *https* instead of the default *http* when trying to login using social account e.g Facebook
Then i also set Valid OAuth Redirect URIs on facebook login settings to https://redirect_url.com
For non django application
If you're not using django, i believe there should be a base configuration file, where all your configurations for the application are done (it might be same file where you've configured your application to use social authentication).
Whatever library you're using to enforce social authentication, search for how you can allow redirect to be done via https instead of the default http and then add it to your application's configuration file.
I hope this helps someone save some time
I'm running a Classic ASP website, that has its own user authentication and login mechanism. For example, In order to remember a logged-in user, ASP creates an encrypted cookie and a 20-minute session for each connected user. If the 20 minute session is elapsed, the server revives the session from the cookie saved previously, and saves some data regarding the user to the database.
I want to to be able to allow users to connect with their Facebook or Google identity, but the mechanism used by Facebook or Google is based mainly on Javascript and on client-side code.
How Facebook or Google login can be used while maintaining server side code in ASP? (So that the ASP server can still manage the session and save data regarding it, for example whenever a session is revived)
For me somehow it seems that it may become less secure to use client-side authentication as the code may be altered easily. Isn't this the case?
If I use client-side javascript and log in with Facebook, how would I update the user data retrieved from facebook back into my database, for example the user's first and last name?
For me it sounds that it should be a "server-to-server" communication (between my ASP server and Facebook's or Google's servers) and what they propose is a "client-to-server" communication ... Any ideas how this can be done?
Any help or explanation would be very much appreciated! Thanks.
I'll try to address your Facebook-related questions one by one. However, I will not give you an implementation or any ASP-specific feedback, but only a rough approach. Additionally, I recommend that you study Facebook's documentation on Facebook Login extensively to further your understanding of the matter.
1. Facebook documents the server-side OAuth 2.0 flow in their Manually Build a Login Flow guide. Basically you redirect the user to a specific FB URL that (in the parameters) tells FB to render the "Login with Facebook" dialog, and which permission scopes to ask for. Once the user approves the Facebook Login for your webapp, they will be redirected back to your web app, e.g. with an OAuth token in the query string, that your webserver can then exchange for a user access token.
Once you obtained a user access token, you could e.g. store it in your web app user's session.
2. I don't know what you mean. Client side apps are fairly secure. Perhaps you can convince yourself about how secure JS apps are when reading about things like CORS.
3. If you only use JavaScript (e.g. Facebook's JS SDK) and you want to store e.g. app-scoped user IDs on your server, you need to expose an endpoint on your server that your JS application can submit that kind of information to.
4. You state
what they propose is a "client-to-server" communication
Who are "they", and where are the proposing this? The resources I linked to in 1. should explain how you can use Facebook login in a pure server-to-server way.
Can the Stack Overflow community sanity-check this for me?
I am working on a project that involves two components: an iOS app and a mobile website. It's for a product that will interact pretty heavily with Facebook. The website is hosted on Heroku.
From iOS land, my intention is to use the Facebook iOS SDK for authentication and then hit the web API with the user's access token at https://[myappname].herokuapp.com. Since Heroku offers piggyback SSL when using the herokuapp.com domain, and the user won't be seeing this URL anyway, I figure that's fine. And this way the request is encrypted, so the access token should be safe.
From the mobile website, users will log in using Facebook, at which point my understanding is that the access token will be in their cookies, which my server can then access without having to exchange it back and forth with each request. By this reasoning it seems to me I can just stick with regular unencrypted http:// URLs for the website (and therefore use my custom domain name without having to pay a monthly fee for Heroku's SSL Endpoint add-on).
Does this all make sense? I will be the first to admit my understanding of a lot of this stuff is in serious need of an upgrade. But for now I'm just looking for someone who can tell me, "No, you're totally overlooking/misunderstanding XYZ" or "Yeah, this is how it's generally done."
Facebook advises that you should not take a dependency on their cookie format. They have stated that the cookies are "an implementation detail" that they may tweak at any time with no notice given. You should not directly access the token or other user info directly from the cookie. I personally have had some bad experiences trying to get user information directly from the cookies, mostly due to timing -- they were not always there or updated when I expected them to be.
Client-side, you should either get the access token from the Javascript SDK via FB.getLoginStatus or other method that returns the access token, and then post it up to your server. This should really be done using ssl otherwise you are susceptible to network packet sniffing where a black hat could grab the token and be able to use all of the privileges the user granted your app.
There is also a server-side option as well which hits at ssl endpoint on Facebook's servers to return an access token.
References:
"Cookies are an implementation detail": https://developers.facebook.com/blog/post/624/
Authentication docs: https://developers.facebook.com/docs/authentication/
Website login via Facebook works totally fine via HTTP.
TL;DR version:
Can you authenticate with Facebook without having a callback URL for a web application since the web application isn't actually running on a server.
Full explanation:
I'm working on building a connectedTV platform application where the "app" itself is a bunch of HTML/JS/CSS running locally (like File -> Open on your desktop browser) and I'd like to integrate Facebook into this.
The problem is that all of Facebook's OAuth calls for the web require you to have a callback URL to redirect the user to in order to complete authentication. Here's the gotcha -- there is no URL for this application -- it's a locally running webpage on the device.
I know this is what out-of-band authentication was designed for, but I can't seem to find any documentation on how to use this (or how to do a non-callback OAuth flow) with the Facebook OAuth system.
You're describing desktop authentication or any situation where you are authenticating to FB without a server. The redirect URL you pass to the OAuth dialog is https://www.facebook.com/connect/login_success.html When the browser redirects you can get the access token. You can read all about it in the FB documentation, way at the bottom in the Desktop Apps section (https://developers.facebook.com/docs/authentication/)
Just reread your question and since the application runs inside a browser you will need to open another window to authenticate and get the access token from that.
If you're doing HTML/Javascript, use their Javascript SDK. You can log the guy in simply by using FB.login and getting the access token from the callback from that.
I really don't think this is directly possible. Unless there is something totally undocumented, Facebook has no mechanism to send authentication data except by loading a url. I'm sure it's meant at least partly as a security measure, functioning as sort of a "whitelist" of where auth data will be sent.
The only way I can think of for you to work around it might be to set up a url on a server somewhere that could answer the redirect and store the auth data, and have your client-side code poll that server to get it. Kind of a proxy authentication service, in effect. You would probably have to open a second browser window with the Facebook auth screen in it, but in theory it could work.
In version 1 of my website, i implemented Facebook Connect with the JavaScript API. This included authentication, permissions, and publishing.
In version 2 of my website (what i'm implementing now), i have implemented Facebook Connect with the Graph API (OAuth).
I haven't touched the Facebook settings in my application. But when i attempted to authenticate using OAuth, it asked for the same permissions again (email, basic information) - even though i had already granted those before (using version 1)
The only difference i can see if that previously i asked for permissions via FB.showPermissionsDialog, now i use the scope parameter in the login page URL (OAuth).
What this means is when i go live, all my users will have to re-authorize my app, when they in fact shouldn't.
Any ideas? Is it because i'm now using AppId/Secret (OAuth) instead of ApiKey/Secret (JS API)?
FYI i'm using the Facebook Connect C# Toolkit.
I don't think that makes sense. Are you using the same application id? The permissions are between the application and the user, as far as I know.
Problem goes on unsolved, but site is live so not much i can do about it now.
Not a huge deal anyway.
I think you need to validate your oauth using javascript-sdk:
Check this response hope this gives you some idea.