I want to build a Facebook application that will be available only to those who have been invited to it or to a certain list of people (the list will be used for initialization).
How can I achieve that?
Depends what you mean by available. Anyone can install/authorise your application - all it means is that it'll appear in their applications list, and that your application has more access to their profile.
However, whenever someone uses your application Facebook will send you their unique uid which you can then filter on within your own code. Store a list of uids that you consider "invited", and only allow them access.
Probably the neatest way to do this is at the start of a session; the initial exchange between Facebook and your application involves Facebook sending your app a uid and authentication token, with which your app requests a session key - if you filter at that point and simply refuse to request a session key for any uid that's not on your list, you can programmatically restrict access.
There is so called "application sandbox mode". It is intended for development and testing though. But the meaning of this mode - you directly specify what users have access to your app(testers)
Related
Facebook provides an OAuth authentication system for third-party apps but they appear to not provide any fine-grained user management capabilities.
This seems like a security problem. I need to be able to:
Disable delete unused accounts
Disable or delete abusive users
White list users for early access to a new app.
But AFAICT FB provides no tool to do this.
I can probably hook of of the OAuth ID and put an entry in my database for the first two requirements, but I can't figure out how to white list Facebook users.
Google is unhelpful because all the results are about let users manage applications their user account is attached to, and nothing about allowing apps to manage what user accounts they are attached to...
Usually is a bad idea to delete or disable unused accounts, because maybe user was inactive for a long time, this doesn't mean the user deleted or disabled his account.
On the other hand, you can't avoid malicious users join your app via facebook authentication. What you can do is to detect suspicious activities with your own implementation (after Facebook accept them to join your app), and suspend, block or disable those accounts on the server (blacklisting them), after the user has joined client-side and sent the required access-token (optionally request the ID) trying to be accepted by the server.
Whitelisting users may depend on the requirements of your application, you can check profiles data and reject those that doesn't provide the requirements that your app needs (remember to ask the user for the fields that your app requires, like public profile, pictures, etc; these must be accepted by the user before signing in).
Here's how you white list users for an app on Facebook:
Keep the app in Development mode
Add users from your friend network in the Testers role
When you are comfortable, open your application to the world.
AFAICT you cannot white list when your app is published, but that's the point of publishing. Also the whitelist is not a request-grant method, it's invite only.
The other requirement to delete or disable users you must handle yourself in your database. You would tie the user's status to the FB's unique ID.
I've written a web application which uses Facebook as the main way to authenticate users and collect information. On the home page, there is one button 'Sign in with Facebook', which allows users to sign in to the app.
Is there any way to restrict which users can use the Facebook app, and thus log into my web app, or do I have to handle this separately/manually? My first idea was to add them as 'test users', because my app is still in beta phase, and thus not publicly accessible. But I'm not sure (and I can't find anywhere) how much test users are allowed per app (as this could be up to 1000 users over time).
You have to handle it manually. A good way to restrict access is to deny access in general, store authorized users and activate their access in a backend. You canĀ“t just get their ID before authorization, because the ID is App Scoped.
I have two facebook apps in the same business.
I want to get same scoped ids for both apps when users are logging in (because I use the same database).
I've read the facebook upgrade guide, but I don't get how to use the token_for_business to get same id when the user is logged.
Graph api returns different tokens for business for every app (which is strange).
The only useful thing so far is the /me/ids_for_business call to get list of the user scoped IDs for every busines..but it only returns them if they were logged at least 1 time..
My second app is new and if user logs in to it (without logging in to the first app) I can't get his first app ID to store and use it.
Thanks
There will always be differend app-scoped user ids per app. That's the whole purpose of them.
Have you followed the steps at
https://developers.facebook.com/docs/apps/business-manager#create-business and/or
https://developers.facebook.com/docs/apps/business-manager#update-business
If so, according to the docs, the field token_for_business of the user should contain
A token that is the same across a business's apps. Access to this token requires that the person be logged into your app. This token will change if the business owning the app changes
I'm developing an app on iOS and Andriod. I would like to allow only some Facebook ID to be able to use my app. How can I do that?
Can i put their facebook unique id into my server and when they login, the app will get thier unique id and verify it with the one stored on my server?
But can someone steal other's unique id then loging in random account and use that stoled unique id to get access into my app?
If you are using some sort of official SDK to authenticate and log your users into your system then the FBID the SDK gives you can not be "spoofed".
You as long as you are using supported methods to authenticate your users (ie: via Facebook itself) you can rest assured that only the "allowed" users as you say will be able to use the application.
Keep in mind that using this method you will not be able to prevent other users from installing your application. Your server will only be able to check if the user is "allowed" to use the application after the user has installed and authenticated via Facebook - only then will you have access to their FBID for validation.
If you want to totally prevent anyone who is not in a certain group of users from reaching your application at all then you can setup some roles for your application as long as it is left in "Development Mode": https://developers.facebook.com/docs/ApplicationSecurity/
Using these settings will allow you to define certain groups of users such as developers or testers and only users specifically listed will be able to install and use your application.
I've been trying to figure out a way to have my iframe Facebook app (built in PHP) work without requiring separate authentication methods. I am already logged into Facebook, but for some reason I still see all these Oauth notices from the example in the PHP SDK.
The only data I need is publicly available even without them "adding" my app. I am looking to collect their Facebook ID (since this is a contest, we need a unique ID for tracking), their name and (optionally) their email address as well.
The problem is, I cannot use the API to fetch the public information unless I already know their Facebook username. Any ideas on how I might be able to get their logged-in username or public handle so I can then fetch the rest of the information?
For whatever reason, Oauth is driving me completely insane with Facebook today.
Sidenote:
I did manage to technically get the Javascript SDK operational, which fed some information to PHP for use. The only issue there is that once I login, I don't see the data. If I refresh...then it shows up. Unsure why the refresh is required, as I wouldn't expect a user to actually have to hit refresh in order to proceed with the app.
I guess you are a bit confused here, Facebook will NOT share the username, id, full name or email without the user explicitly authorizing/allowing your application (and in the case of the email, requesting the email permission!).
Read the official Canvas Tutorial for more information:
In order to gain access to all the user information available to your
app by default (like the user's Facebook ID), the user must authorize
your app.