I wondered if there was a way to login to Facebook via the oAuth (get-request) instead of using the FB.login().
The reason I would complicate the login is because of the FB.logout() problem. It is too cocky to logout someone from Facebook, just because they want to logout from my site. On the other hand, deleting the user from my application*, will prompt them to accept my terms everytime, which also doesn't seem to be very pro.
What I was imaging was:
I get the information needed from the GET-call
I store the session-cookies
I delete them if the user wants to logout
Once I retrieve the userid + access_token, I can get all the other information by simply making the JSON calls (no?).
It also bugs me in general that facebook stores so many cookies (what are they doing?)..
I tried to search this, but no luck this far.
*as proposed in this topic by DMCS: Can't Logout of my Facebook OAuth Session without logging User Out of Facebook
You can use the server side flows which, but you will have to adhere to the same policy.
Either way, it sounds like you are using FB's session data to control the auth state, something which is a very bad idea - you should only use the data provided by Facebook as an initial claim, which you then convert into a local claim with corresponding auth tokens/session cookies etc.
Related
I'm making a personal smart mirror and i'm looking to integrate the spotify API to display my 'currently playing' track. However, I've noticed that in the authorization process, you need to physically click log in and authorize the app in order to get the credentials required to move forward in obtaining your data. Could this be automated/require no user interaction?
I am referring to step 1 of the api authorization guide.
Many thanks.
If you are using this for a personal smart mirror you shouldn't have a problem. You only need to authorize by clicking a button in a browser one time and will be able to make all API calls afterward without needing to click anything.
Specifically, after you do in step 3 of the authorization flow you will be given a refresh token. After the authorization token expires you can use the refresh token to refresh the authorization automatically without clicking anything.
From their documentation:
Accessing your data without showing a login form
I want to interact with the web API and show some data on my website. I see that the endpoints I need authorization, but I don’t need/want a login window to pop-up, because I want to grant my own app access to my own playlists once. Is there any way of doing this?
You basically need an access token and a refresh token issued for your
user account. For obtaining a pair of access token / refresh token you
need to follow the Authorization Code Flow (if you need a certain
scope to be approved) or Client Credentials (if you just need to sign
your request, like when fetching a certain playlist). Once you obtain
them, you can use your access token and refresh it when it expires
without having to show any login form.
If its not for you personally you could jump through hoops and write code that fakes being a web browser, perhaps using something like curl or selenium but odds are it is against their terms of service and are if you get caught they'll ban you.
I'm a bit confused. I am trying to provide a simple Google Authentication sign-on.
I would like to use Google's recommended method using the client-side flow: https://developers.google.com/+/web/signin/add-button
If I use this method, how will I keep a user logged in as they move from page to page. I know I can't create PHP session via Javascript.
How can I use the client-side flow and keep a user signed in. I am using PHP on my server.
After spending a few weeks researching, I now understand that I cannot just set a php session variable and stop using oAuth2. I realize that everything I need to get information from Google, I must prove that I have still authenticated that user.
Also, I have come to understand that unless you force prompt, Google will not resend a refresh-token. To provide the best user experience, you must capture the token at first login and then re-use the token to make calls without having to force prompt. This token must be stored in a secured location such as a database for each user.
I want to allow my users to have an account on my website using their Google Account to log in (pretty much like on Stack Exchange here). There's a lack of post-2012 guides on this matter on the net so I'm following Google's guides which I find a bit cryptic.
I've successfully followed this guide on Initiating the Google+ Sign-In flow with JavaScript and I can get the access_token with authResult['access_token'].
What should I do after this? This access_token is apparently unique and will be different each time the user logs in. Now that my user has logged in using Google+ how can I POST a code to my server page to uniquely identify this user and start a PHP session for his account?
Make a POST request to your server with the access_token so your server can make an authenticated request to people.get. This will return the users Google+ id an optionally their email address you can use to identify them.
I've created a custom open graph action that uses the publish_actions permission.
Once the user has granted this permission, which access token do I need to use to post the open graph action? Can I just use my app token or do I need to use an active user token?
I've tested this and it looks like as long as the user has granted the app the permissions, using just the app token works. I'm worried though that this might be a quirk in the api or that it might change since its not in the api docs.
Let me know how others have implemented something similar, and if it helps this open graph action has not been submitted for approval yet.
Both will work, and in some cases the app access token is needed (this is an option you can specify on specific action types), but in general you should probably use the user access token, as you'll need this to read back the data and make any other api calls on the user's behalf
I want to implement something similar to what Digg has done.
When the user logs in for the first time, I want it to force them to create an account on my site.
More importantly I want to know how to log a user into my site when they login with facebook connect. If they login with facebook connect, they still haven't provided me the password to their account on my site, so I can't use username/password to log them into my site. How do they do this on Digg or sites similar to this?
Facebook's process flow can definitely be a bit confusing. Take a step back from the details and the API, and look at the overall flow here:
Facebook Connect will tell you that a user is logged into Facebook, and give you their Facebook ID. You can validate that ID against Facebook using Facebook Connect to make sure it is properly logged in. Once this is done, you don't need a user name and password. As long as you trust that Facebook has authenticated the person properly, they are the only ones that can come to your site using that Facebook ID. That is enough information to start an authenticated session based around a local account that is associated with that ID.
The process you should follow is like this:
User logs in to your site with
Facebook Connect for the first time
You notice that you don't have a local account associated with that
Facebook ID, and prompt them to
enter local account information
You save that information along with their Facebook ID
The next time you see that Facebook ID (and validate that it is
logged into Facebook using the
Facebook API), you can start up a
local session using the associated
account.
Basically you end up with two separate methods of authentication: a Facebook Connect ID check, or the regular username/password login on your site. Either one should have the end result of starting a local authenticated session.
Hope that helps.