I have client-side FB connect working. In my example you just click login with Facebook and then a popup appears, they login and then are returned to the app, where I display their name and pic.
My questions are around how to make use of this connection.
If they are using fb to log in would I create an account with this
information the first time? Then supplement this info with app specific stuff? Then grab that account every time they login? How should I reference the existing account?
Can I only query the API for data from the client, or can I store some info on
the server that lets me query their account from the server?
How would something like finding out if two people are friends work?
Would this be done on the server? What does the query look like?
How long do sessions last and how is it decided? Will the login persist across multiple visits?
Can I make use of the login when the user isn't currently active in the app? Query for a status or make a request on their account in between visits?
Any help figuring out how this works would be spectacular. Thanks very much for the help!
If they are using fb to log in would I create an account with this information the first time? Then supplement this info with app specific stuff? Then grab that account every time they login? How should I reference the existing account?
Yes, and you'd use their Facebook ID to find if they have an existing account.
Can I only query the API for data from the client, or can I store some info on
the server that lets me query their account from the server?
Store the access token. If you need long-lasting access (the default token expires after an hour or two) you need to request offline_access extended permissions.
How would something like finding out if two people are friends work? Would this be done on the server? What does the query look like?
Fetch a user's friends list from https://graph.facebook.com/me/friends and see if the friend's Facebook ID is in there.
How long do sessions last and how is it decided? Will the login persist across multiple visits?
When the user authorizes your app via OAuth, the expiration time in seconds is appended to the URL.
Can I make use of the login when the user isn't currently active in the app? Query for a status or make a request on their account in between visits?
Yes, until the token expires. See above regarding offline_access.
Related
I am trying to add Stripe Connect to my app, but I do not want to create users using Stripe Connect integration. I have my own user sign up process, because not every user will need the payment option provided by Stripe so I do not want to force everyone signing up to Stripe if they do not need it. That is where my problem is. I follow Stripe's quite nice and straight forward documentation here: (https://stripe.com/docs/connect/enable-payment-acceptance-guide).
My problem is that I do not know how to save the user's stripe_account_id which the oauth return s to the /connect/oauth path so it is saved to appropriate user since there is no id of the user passed. How can I find out, which user is connecting to Stripe and save the id to his account in database? I feel like I am missing something here. I understand this would work if I would create a user but I cannot do it that way.
Thank you for help.
When you create the OAuth link that connects your users to your platform, you can pass in an arbitrary state string which Stripe will then pass back to you after the link is completed. If you put your user's unique ID in there, you'll be able to link the completed connection back to your user in your database.
I'm having some trouble wrapping my head around Facebook login coupled with my api security-wise for a webapp I'm creating. What do I need to store in my database, ID, token, something hashed etc? My flow so far is as follows:
When a user visit my app they see a welcome text with a button saying "Login with Facebook".
They hit the Facebook-button, if the user do not exist a new row is created in the database. For now I'm storing the user's Facebook name, id and a hashed token with the combination of the two. And then store a cookie with the token.
If the user return later to visit the app, they get redirected to the app without going through the Facebook login, because the token is stored in the cookie, and the user is found in the database based on it.
If the user return to the app without a the cookie token. The user has to hit the login with Facebook-button again, but now the user exist in the database and based on the name and id, I can find the user and return the token for a cookie.
Step 4 however seem a bit unsecure. Based on the name and id I can find a token of a user and set it in my cookie, granted I know (or can find?) the name and the id of that user I want to exploit.
This is my flow. Am I approaching this wrong, do I have to use the Facebook SDK C# in my Web API for server-side validation regarding a access token of some sort?
Any tips, hints or pointers to another flow is very welcome aswell.
Here is my desired flow:
I want to allow my users to have an account on my website using their Google Account to log in (pretty much like on Stack Exchange here). There's a lack of post-2012 guides on this matter on the net so I'm following Google's guides which I find a bit cryptic.
I've successfully followed this guide on Initiating the Google+ Sign-In flow with JavaScript and I can get the access_token with authResult['access_token'].
What should I do after this? This access_token is apparently unique and will be different each time the user logs in. Now that my user has logged in using Google+ how can I POST a code to my server page to uniquely identify this user and start a PHP session for his account?
Make a POST request to your server with the access_token so your server can make an authenticated request to people.get. This will return the users Google+ id an optionally their email address you can use to identify them.
A very simple question which I've seen kinda answers to.
Can you do a facebook login with PHP to authenticate a user and grab information?
Why then is there a JS version?
I just don't understand the difference between the two above options.
My web app will need to gleen the users email address as there will be a mailing list component to signing up for our service.
How do you manage this local information and uniquely identify the user each time they log in from facebook? Do you store their facebook ID?
Thanks
1- Yes - https://developers.facebook.com/docs/reference/php/
2- So you can do it on the client side.
You can get user's email address if you have appropriate permissions.
Yes you store their facebook id and associate users with it.
They both do the same thing, just on different sides: on the server or on the client.
If your authentication process relies heavily on server interaction and you have your server side code ready, use the PHP SDK. It provids you with methods to get the ID from the user. This will be unique so you can store them.
If you want to manage an application flow, say the user needs to give your website certain permissions in order to view something, it can be easy done with the Javascript SDK.
I want to implement something similar to what Digg has done.
When the user logs in for the first time, I want it to force them to create an account on my site.
More importantly I want to know how to log a user into my site when they login with facebook connect. If they login with facebook connect, they still haven't provided me the password to their account on my site, so I can't use username/password to log them into my site. How do they do this on Digg or sites similar to this?
Facebook's process flow can definitely be a bit confusing. Take a step back from the details and the API, and look at the overall flow here:
Facebook Connect will tell you that a user is logged into Facebook, and give you their Facebook ID. You can validate that ID against Facebook using Facebook Connect to make sure it is properly logged in. Once this is done, you don't need a user name and password. As long as you trust that Facebook has authenticated the person properly, they are the only ones that can come to your site using that Facebook ID. That is enough information to start an authenticated session based around a local account that is associated with that ID.
The process you should follow is like this:
User logs in to your site with
Facebook Connect for the first time
You notice that you don't have a local account associated with that
Facebook ID, and prompt them to
enter local account information
You save that information along with their Facebook ID
The next time you see that Facebook ID (and validate that it is
logged into Facebook using the
Facebook API), you can start up a
local session using the associated
account.
Basically you end up with two separate methods of authentication: a Facebook Connect ID check, or the regular username/password login on your site. Either one should have the end result of starting a local authenticated session.
Hope that helps.