Can we get the Facebook user access token without prompting to login page. Isn't it enough having App Id and App Secret to get the token. I have tried according to the Facebook API documentation. But it prompts to login screen if you are not already logged in in the browser.
This is what document says,
User Access Token – The user token is the most commonly used type of token. This kind of access token is needed any time the app calls an API to read, modify or write a specific person's Facebook data on their behalf. User access tokens are generally obtained via a login dialog and require a person to permit your app to obtain one.
Related
Per https://developers.google.com/identity/sign-in/web/server-side-flow in order to get a refresh token, the client must grant offline access. However, I see no way to do that using the new API. What's the proper way to get a refreshed token using the Google button, so the user doesn't need to re-login every hour?
Authentication for sign-in has been separated from authorization for data access in he new API.
In the new API authentication does not require or use access or refresh tokens, instead a signed JWT ID token credential containing the user profile is shared after user consent. This greatly simplifies the level of effort and need to manage tokens during app sign-up or sign-in.
If you're performing authorization to access Google APIs and storing refresh tokens on your backend, then a server-to-server OAuth flow is appropriate.
Another clarification, user sign-in to your app and maintaining session state are separate concepts and should be handled separate from backend processes which may use an offline refresh token to perform actions through a Google API on behalf of the user while they are not logged in.
I'm trying to create an HTML page, and a part of it is to check if a user has an active Azure AD logged in session. If so then certain elements of the page would change.
The IdP and SP are setup correctly, and SSO works, this is a separate page from both of them.
This page is here before the user is redirected to the service provider. I just can't figure out how to do this! Is there any way to do it without redirecting the user off the page, maybe using JS?
After passing the aad authentication, you will get the access token.
You want to determine whether the azure session is valid before sso authentication. Then in your html page, if you include access token information, you can judge whether the tokens are valid and expired.
If the html page does not contain token information, it is recommended to use ropc flow to obtain the access token again. If you have to judge whether it has expired, it is recommended to store the information when logging in and verify it next time you log in.
If I go to the Graph API Explorer, get a User Access Token, and then go to /<page-id>/live_videos I can return a list of live videos from that page, including the status (VOD aka past, or LIVE) and the embed_html.
This is great but the problem is this User Access Token will expire. I want to be able to get this data as part of my website to show visitors whether we are live or not, and if so give them an option to open the video right there on the site. It shouldn't be something a user has to login in to allow my app to access FB on their behalf.
So I tried using an App Access Token which I got by using the App ID and App Secret of my page's 'Facebook App' as described in the Facebook docs here... but the Token that I get from this does not work; it tells me A user access token is required to request this resource.
Why must I get a User Access Token when it's my App (aka my website) that wants the data?
Honestly I didn't think it would be hard to get this information since it is a completely public page; I would have guessed you don't even need to authenticate, but probably just some need sort of identifying token for your app for rate limiting, etc. Is there any method like that?
I would like to let users login to my site using Facebook and I want to obtain a token from FB when the following properties:
For a given user, the token is always the same when they log in with facebok
The token is unique to my app. That is if that user logs into some other app with facebook they aren't given the same token.
Does FB provide anything like this? As far as I can tell the user id that the facebook api returns is the same for all applications.
I know that I could achieve #2 by sending the FB userID up to a server and hashing it with some secret key but I'm trying to make a purely client side application.
Facebook provides a field third_party_id (see: https://developers.facebook.com/docs/reference/api/user/), that is unique to your app.
It’s main purpose is to be used to identify a user without violating their privacy, f.e. when you would have to pass a user id around as a parameter in a public URL or something.
If you ever need to “translate it back”, you can use it to look the user up via the FQL user table (with an access token for your app only, of course).
I'm using in my website the possibility to login with facebook. Is only the use of javascript facebook api enough to guarantee that no security break could be attempt from client side in order to authenticate as a different user?
When a user clicks on your Facebook connect button they are authenticating against Facebook's table of users. If Facebook returns them back to your site they will come with an access token. On your server, you should be preforming an HTTP GET against the following URL:
"https://graph.facebook.com/me?access_token="+token
If the access token was issued in the last (I think) 20 minutes then it will authorize you to fetch a JSON containing things like their name, email address (if they authorized that information) etc. You don't need to ask the user to type their email address on your site because that information isn't coming from the user it's coming from Facebook's servers.