I have created a Facebook app, added it to a Facebook Fan page and I want to detect whether the user visiting the app tab is an administrator of the actual Fan Page (not the app). Is this possible through FB's JS SDK?
If the user has authorised your app and you have the manage_pages permission from them, yes.
Otherwise, no, you'll need to do this server side by parsing the signed_request
Related
Facebook JavaScript SDK guide contains an example code to integrate Facebook login and authorization for a specific application. The only information provided to this script is the App ID.
Let's say an user authorizes my application to access his private data. Now, what prevents someone else to put a Facebook login form on his own application using my App ID and JavaScript to make it look like it came from my domain and access this user's private data?
Do browsers provide enough security on this subject?
Now, what prevents someone else to put a Facebook login form on his own application using my App ID and JavaScript to make it look like it came from my domain and access this user's private data?
Do browsers provide enough security on this subject?
Nothing to do with the browser, really. Facebook will only pass data back to a domain that's in your whitelisted set of app domains in the developer console.
When the SDK redirects user to Facebook, Facebook's servers redirects back to your site. The redirect URL is set by you in the App Settings of Facebook Developer Center. If someone steals your App Id and puts it in his site, all of his users would be redirected to your site.
I have a scenario that I think should be fairly simple, yet I'm not finding a solution and wondering if someone can point me in the right direction.
The setup:
1) SharePoint online website (user must be authenticated to see page)
2) .NET MVC Web API service endpoint (user must be authenticated to get data from the service)
Both of these authenticate using the same Azure Active Directory. The Web API has been registered in Azure AD.
The problem:
I would like to put some javascript on a SharePoint Online page (not a Sharepoint Add-in, not an AngularJS SPA) that will make an AJAX call to the Web API using the logged in user's credentials without any kind of user prompt (since this is an ajax call, the user won't see the prompt anyway).
I've tried looking into the ADAL libraries, but all the JavaScript ones I can find require the use of Angular and require the user to authenticate a second time. I've found some documentation using OAuth 2.0, but (from what I can tell) require you to get the client to authorize the Sharepoint Online page to act on their behalf - which the user will not be able to consent to because it's an AJAX call and the consent page is not displayed in the browser (and it's still doing this despite having the app already approved by an administrator in Azure AD).
It seems to me the user shouldn't have to leave the SharePoint page and shouldn't have to enter their credentials a second time. I believe there should be some way that the log-in to SharePoint Online should also be able to be used as the log-in for our in-house app.
If someone could just point me in the correct direction, I would be very much appreciate it. Thanks in advance.
Normally, if we call the resource which protected by Azure AD, we need to authorize the app via OAuth 2.0.
Were you able to put a hidden iframe in the SharePoint online page? If it is possible, then we can use the Azure AD implicit flow get the token through iframe, and we can call the REST which protected by Azure AD via the token return by iframe. To enable the implicit flow, we need to download the application manifest from Azure portal and switch ‘oauth2AllowImplicitFlow’ to true.
And if you were only developing a single tenant which doesn’t require users to consent the app. Here is the HTML code request the token from a Iframe for your reference:
<iframe width="0" height="0" id="oauthHideIframe" src="https://login.microsoftonline.com/{tenantId}/oauth2/authorize?response_type=token&client_id={Client_Id}&redirect_uri={redirect_Url}&resource={your web api app url register on the protal}"> </iframe>
And to pass the token from iframe to the parent window, we can use the window.postmessage which allow the corss-orignal communication.
I have a login page via WCF restful APIs. I am logging in and now the problem after logging in if user exits in the app and try to re open the app, the app doesn't want to ask the user for credentials by storing the previous credentials. It has to automatically redirect to the another page. Any ideas, suggestions? I'm using JavaScript and HTML & Cordova.
Take a look at this answer
Cordova app with autologin feature
This answer is one of the best ways to implement autologin in hybrid apps, to me.
I'm developing a web-app that at the start connect to facebook, but before asking user credentials I'd like to try to retrieve these credentials from official Facebook Application (Android, IOS or MAC app).
Is this possible?
The user must accept the applications permissions BEFORE anything is displayed.
The easiest way is just printing their details from them to view once they're signed in, but following Facebook's Guidelines, you can't view a user's profile information without.
I had registered a facebook app for my website. And my problem is that I use single sign on for my website.
User must login with their facebook account in www.site1.com, then they will be redirected to www.site2.com.
How can i use the same register app Id on 2 sites for future functions. I want to use facebook javascript sdk to some stuff on www.site2.com
Thanks for your help. Nice day !
single sign-on:
SSO is simply logging a user with facebook and maintaining a site-wide session on your server and cookie on user's machine. This session shall remain valid for all pages on your website.
1) http://blog.mixu.net/2010/12/27/implementing-facebook-login-single-sign-on-part-1/
2) http://blog.mixu.net/2011/01/03/implementing-facebook-login-part-2/
3) http://blog.mixu.net/2011/01/09/implementing-facebook-login-part-3/