I have a website based game that has login accounts that I want to integrate into facebook (not facebook connect, I want to use an iframe canvas page).
My question is how can I authenticate a user and how can I check if a user is coming from facebook or directly from the site.
I have been playing around with require_login() using the PHP library. My main fear is how can I authenticate that the GET parameters from facebook are indeed from facebook? If I can do that then I can store their facebook session id and Uid in a session as login credentials.
My other worry is that the GET variable may get passed as a reffer to an external link.
Finally... I find in some browsers that with require_login() that it breaks out of the iframe and gets into an eternal look continually adding additional authtoken's to the URL.
Hope someone can help
Yes you can create a app that works independently as well as facebook app. For the facebook you will have to use the facebook's iframe method to work under facebook.
You can verify the request comes from Facebook by verifying the signature in the same way that Facebook checks that API requests come from your application. With the PHP client library you can use the validate_fb_params() method of the Facebook class to do this automatically.
Bear in mind that session key's are temporary so the user will keep needing to authenticate with Facebook through your application otherwise the key expires within the hour. You may also run into a 3rd party cookie issue with Safari if you're hoping to store the session key in a cookie, and you'll need a compact privacy for quite a few other browser/privacy setting combinations as well. Something like:
<?php
header('P3P: CP="CAO PSA OUR"');
?>
in an include would do it.
And yes: the session key may be passed to external sites as in the referrer properties. It's just one of the security flaws that the platform currently has. The only way around that is either to redirect all external clicks through a handler which removes the referrer, or redirect on page load to strip the fb_sig_ss parameter out.
Related
I have .net web site which designed for working as standalone application. Due to one issue I was made to perform login flow to Facebook manually instead of calling FB.login(from FB javascript sdk). And because of this I am not able to call FB.logout (because in this case another issue appears).
Facebook support advised me this:
"In this case, you should manually clear the user's logged in session, by clearing any stored cookies, or removing any access tokens or user information stored on our end. You can refer to this page for more information on building login/logout flows manually: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/#logout"
I didn't get this answer. How to realize manually logout workflow?
And I didn't find any examples.
You can check what the PHP SDK’s getLogoutUrl method does here, https://github.com/facebook/php-graph-sdk/blob/5d0c4865e80e231d48a4571841bd018828fe58e1/src/Facebook/Helpers/FacebookRedirectLoginHelper.php#L156
Basically it just calls https://www.facebook.com/logout.php with two parameters:
next is the redirect URI the user should be redirected back to after logout; it needs to be within your app domain
access_token is the valid user access token for the current user of your app
I'm running a Classic ASP website, that has its own user authentication and login mechanism. For example, In order to remember a logged-in user, ASP creates an encrypted cookie and a 20-minute session for each connected user. If the 20 minute session is elapsed, the server revives the session from the cookie saved previously, and saves some data regarding the user to the database.
I want to to be able to allow users to connect with their Facebook or Google identity, but the mechanism used by Facebook or Google is based mainly on Javascript and on client-side code.
How Facebook or Google login can be used while maintaining server side code in ASP? (So that the ASP server can still manage the session and save data regarding it, for example whenever a session is revived)
For me somehow it seems that it may become less secure to use client-side authentication as the code may be altered easily. Isn't this the case?
If I use client-side javascript and log in with Facebook, how would I update the user data retrieved from facebook back into my database, for example the user's first and last name?
For me it sounds that it should be a "server-to-server" communication (between my ASP server and Facebook's or Google's servers) and what they propose is a "client-to-server" communication ... Any ideas how this can be done?
Any help or explanation would be very much appreciated! Thanks.
I'll try to address your Facebook-related questions one by one. However, I will not give you an implementation or any ASP-specific feedback, but only a rough approach. Additionally, I recommend that you study Facebook's documentation on Facebook Login extensively to further your understanding of the matter.
1. Facebook documents the server-side OAuth 2.0 flow in their Manually Build a Login Flow guide. Basically you redirect the user to a specific FB URL that (in the parameters) tells FB to render the "Login with Facebook" dialog, and which permission scopes to ask for. Once the user approves the Facebook Login for your webapp, they will be redirected back to your web app, e.g. with an OAuth token in the query string, that your webserver can then exchange for a user access token.
Once you obtained a user access token, you could e.g. store it in your web app user's session.
2. I don't know what you mean. Client side apps are fairly secure. Perhaps you can convince yourself about how secure JS apps are when reading about things like CORS.
3. If you only use JavaScript (e.g. Facebook's JS SDK) and you want to store e.g. app-scoped user IDs on your server, you need to expose an endpoint on your server that your JS application can submit that kind of information to.
4. You state
what they propose is a "client-to-server" communication
Who are "they", and where are the proposing this? The resources I linked to in 1. should explain how you can use Facebook login in a pure server-to-server way.
Per the SDK, I am using the logout.php with redirect:
https://www.facebook.com/logout.php?confirm=1&next={SOME URL}&access_token={ACCESSTOKEN}
It is logging me out fine, but it's also logging the user out of facebook. Isn't there a way of logging out of my OAuth session without logging out of facebook?
Yes, I ran into this same issue myself. Dont do logout.php or JS SDK's FB.logout(). Rather call the Graph API with an HTTP Delete command to me/permissions. That will kill the access token, remove the app from the user's app listing and maintain their browser's cookie for facebook. You can call it either server side or client side. Here's the client side Javascript SDK way:
FB.api("me/permissions","delete", function(response){/*do something if you want*/})
This is one of the many annoying things about developing on the Facebook platform. The only way to log out via a browser session is to use their javascript logout function or the redirect like you tried but either will also log the user out of Facebook which is very annoying from a users perspective. The problem is you can't access the cookie they set for your app to delete it due to cross-domain restrictions so you are stuck with the limited options Facebook provides. If you are not prompting for offline_access, you could just forget the users access token and it will expire after an hour. Although the problem still exists that the cookie is still set for within that hour.
I'm getting into the grimy guts of a problem that has turned out to be rather cumbersome so I turn to you, the experts, for help.
what I've done so far: I am building an iphone app with phonegap. I am using the provided fbconnect (in phonegap github) code which gives some rather convenient javascript based example code to build things like a comment and check in request. I have comments and checkins fully working how I want, and I have an auth_token that I am successfully toting around.
enter the like button: I understand that you cannot make like requests via xmlhttprequest in the same way that you can with comments for example, so I am stuck using an iframe (unless there is a better alternative).
what I need help with: right now, since the iframe is triggering its own login, I have the situation where the user might log in to like, and then have to log in again to comment which is not a viable. Is there a way to pass a valid auth token to the iframe so the user wont be prompted to log in again or some other sneaky way to authorize through the childbrowser solution that I have currently implemented and then share the auth token to the rest of the app?
notes: I havent passed an app ID to my auth implementation but I noticed that the iframe does pass an app ID. would including an app ID in my auth request somehow link the logins so facebook could recognize that the user is already logged in through the app?
I can't think of any specific code to include since this is more of a general question but if there is anything you'd like to have a look at please let me know.
The short answer is no, mainly for security and spam prevention. The only way to have the user like your page is rendering the iframe code in a webview. This requires a traditional email/password login with Facebook. Using the graph api is the only way to use things like commenting and checkins, and this requires a user to login via a separate mechanism and then subsequently approve your app. There is no back door logging in mechanism.
I am building a facebook canvas app and i am using the signed request parameter provided by facebook to check if the user has already authenticated the app. (by checking the presence of user_id field). If the user_id is not set then I redirect the user to a uthorization page (using top.location in javascript).
The problem is that, in my application I need to make internal redirects and then i can´t get signed request anymore.
Possible solutions:
1). Change the way i check if the user has installed the app . Get the current user (not sure if I need signed request anyway). Then use the graph api to check the permissions).
2). allways use client side redirects. (then I can allways get the signed request and it is also provides better navigation to the user because the top url change.) Not sure about the performance compared with iframe redirects.
What is the best option, in your opintion.
PS: I am using PHP SDK / symfony framework and the javascript sdk.
The most common way to handle this is to set a cookie to carry forward either signed_request or whatever subset of data from it you need, so it is available on all pages. You can do this directly or by using PHP sessions to store the data.
However I am personally of the opinion that cookies are a bad idea within iframe apps. For an alternate approach that may do what you need, have a look at http://www.braintilt.com/fbcookies.php .