I want to implement something similar to what Digg has done.
When the user logs in for the first time, I want it to force them to create an account on my site.
More importantly I want to know how to log a user into my site when they login with facebook connect. If they login with facebook connect, they still haven't provided me the password to their account on my site, so I can't use username/password to log them into my site. How do they do this on Digg or sites similar to this?
Facebook's process flow can definitely be a bit confusing. Take a step back from the details and the API, and look at the overall flow here:
Facebook Connect will tell you that a user is logged into Facebook, and give you their Facebook ID. You can validate that ID against Facebook using Facebook Connect to make sure it is properly logged in. Once this is done, you don't need a user name and password. As long as you trust that Facebook has authenticated the person properly, they are the only ones that can come to your site using that Facebook ID. That is enough information to start an authenticated session based around a local account that is associated with that ID.
The process you should follow is like this:
User logs in to your site with
Facebook Connect for the first time
You notice that you don't have a local account associated with that
Facebook ID, and prompt them to
enter local account information
You save that information along with their Facebook ID
The next time you see that Facebook ID (and validate that it is
logged into Facebook using the
Facebook API), you can start up a
local session using the associated
account.
Basically you end up with two separate methods of authentication: a Facebook Connect ID check, or the regular username/password login on your site. Either one should have the end result of starting a local authenticated session.
Hope that helps.
Related
I am new to stackoverflow, so I hope that I ask the question correctly.
For a website that I am working on, I have to implement login in using your facebook account. I have this working for the biggest part, since the user is able to login with using facebook and I'm able to retrieve the information I want.
But the problem is, whenever the user logs in with their facebook account, he automatically gets logged in into facebook itself. And whenever the user presses the log out button, facebook logs him out too. For the facebook login, I am using the javascript sdk from facebook.
This can be quit anoying for the user, since it must be possible for a random user to login my website using their facebook account, even when someone else is logged into facebook itself on the same computer.
So my question is: is it possible to login with facebook, without the user actually login into facebook, like just let facebook verify the account and send the requested information back? Using the facebook js sdk off course.
That is not possible. You cannot have 2 different Facebook sessions in one browser and you need to login to Facebook in order to login to your App.
I want to allow my users to have an account on my website using their Google Account to log in (pretty much like on Stack Exchange here). There's a lack of post-2012 guides on this matter on the net so I'm following Google's guides which I find a bit cryptic.
I've successfully followed this guide on Initiating the Google+ Sign-In flow with JavaScript and I can get the access_token with authResult['access_token'].
What should I do after this? This access_token is apparently unique and will be different each time the user logs in. Now that my user has logged in using Google+ how can I POST a code to my server page to uniquely identify this user and start a PHP session for his account?
Make a POST request to your server with the access_token so your server can make an authenticated request to people.get. This will return the users Google+ id an optionally their email address you can use to identify them.
I am successful in implementing Facebook API and Google+ API. I don't haven any issues with login or logout. Even when page is refreshed information is working fine.
But when user logs into Google+ and Facebook in different tabs and he provided access to the app by login with both accounts then I am seeing both images.
How can I avoid this. On page load, I would like to see only either Facebook or Google+ but not both.
If Facebook login then show only Facebook
If Google+ Login then show only Google
If he is logged in to both then show only one of them.
This just out, how to do both:
One of the key parts is the concept of identities vs users. A user represents a human, an identity represents a human logging in with a particular social network. Data security is done on users, showing photos and whatnot is done on identities.
The first code snippet shows some pretty simple logic for deciding which login provider to use if a user is logged in with both.
https://developers.google.com/+/best-practices/facebook#separating_social_and_business_logic
Only allow them to associate their Google+ or Facebook accounts, not both. If one is associated, then do not allow the other.
I have client-side FB connect working. In my example you just click login with Facebook and then a popup appears, they login and then are returned to the app, where I display their name and pic.
My questions are around how to make use of this connection.
If they are using fb to log in would I create an account with this
information the first time? Then supplement this info with app specific stuff? Then grab that account every time they login? How should I reference the existing account?
Can I only query the API for data from the client, or can I store some info on
the server that lets me query their account from the server?
How would something like finding out if two people are friends work?
Would this be done on the server? What does the query look like?
How long do sessions last and how is it decided? Will the login persist across multiple visits?
Can I make use of the login when the user isn't currently active in the app? Query for a status or make a request on their account in between visits?
Any help figuring out how this works would be spectacular. Thanks very much for the help!
If they are using fb to log in would I create an account with this information the first time? Then supplement this info with app specific stuff? Then grab that account every time they login? How should I reference the existing account?
Yes, and you'd use their Facebook ID to find if they have an existing account.
Can I only query the API for data from the client, or can I store some info on
the server that lets me query their account from the server?
Store the access token. If you need long-lasting access (the default token expires after an hour or two) you need to request offline_access extended permissions.
How would something like finding out if two people are friends work? Would this be done on the server? What does the query look like?
Fetch a user's friends list from https://graph.facebook.com/me/friends and see if the friend's Facebook ID is in there.
How long do sessions last and how is it decided? Will the login persist across multiple visits?
When the user authorizes your app via OAuth, the expiration time in seconds is appended to the URL.
Can I make use of the login when the user isn't currently active in the app? Query for a status or make a request on their account in between visits?
Yes, until the token expires. See above regarding offline_access.
I have created simple javascript widget where login happens using Facebook Single Sign On. It logins the person whenever he is logged in to facebook (after authorization for the first time). However, it also logs out the user when Facebook logout happens. I want the person to not get logged out when the person logs out of Facebook?
Suggest me what is the way around.
It is not possible to keep a facebook connection going once they are logged out. The way around would be to create your own user tracking.
Once a user is logged in through facebook - store their information in a session (cookie, table) and then rely only on that to check if this user is still logged in (you will need to implement your own logout too). This will work only if you use facebook as a login provider, if you need some interactions with facebook api that require login - they have to be logged in to facebook.