I have a simple web service and I want to add social login with Facebook and Google using Loopbackjs.
I've already done parts of this editing the example found at this link: https://github.com/strongloop/loopback-example-passport and following the instructions at this one: https://docs.strongloop.com/display/public/LB/Third-party+login+using+Passport.
My problem now is that I need to retrieve user information after login, so that every following editing request on the User model can be direct to the owning User entity.
e.g. The User X want to access to my application:
X request for "example_site_address/auth/facebook";
X will redirect to "www.facebook.com/dialog/oauth?response_type=code&redirect_uri=example_site_address/auth/facebook/callback&scope=email&client_id=XXXXXXX";
After his acceptation, he will redirect to "example_site_address/auth/facebook/callback&scope=email&client_id=XXXXXXX";
Then he will again redirect to "example_site_address/success_fb", this link should give to the client the User entity with which he is logged in.
Using Google this problem is solved because I could retrieve AccessToken information from the cookies, find the User who's owning that, and then send back it to the client, so he can store the UserId and every a following request could be like on this User.
Using Facebook I'm not able to do this, because cookies concern login are encrypted.
I'm a really beginner on this kind of application, so it is possible that my strategy is wrong. Could you help me to do this?
LoopBack Example is using a cookie-parser package (see server/server.js). Cookies are signed but you have an access to them via req.signedCookies property.
Related
I'm incorporating Google Sign-In for my website and the basic setup is working fine, however I face a problem to manage the user's login status.
I came across the below SO question, which suggested to use sessionStorage/localStorage to carry the login status across pages of a website, and when user signs out the stored info should be cleared.
https://stackoverflow.com/a/40206395/5345604
I afraid I don't entirely understand the suggested implementation though. What if user signs out from his Google account somewhere else, say from Gmail or from Google Maps? In this case when the user revisits my website, how can I detect that he is no longer signed in with Google and remove the stored client side session? Or this is not the way it is supposed to work?
And on top of the above question, I'm also thinking about the authentication with my backend (PHP). Given the ID token, shall I be sending it across to my server and authenticate it with the Google API Client Library every time? Or shall I only authenticate the user once and store a flag of indication in $_SESSION, and then destroy the session when the user signs out? (Given that the token is in fact a JWT, I suppose the implementation is meant to be stateless and requires the token to be passed to the server every time? Are there any concerns to implement it with the traditional approach of a server side session?)
I can only answer your first question: The login of your website is completely separate from the login status of other Google services. Even YouTube is separate from google.com.
I would like to login using my own account in conjunction with the LinkedInApi. The problem I have is that most examples I can see either use a cookie or login interface for local users login credentials. However my aim is to login with my own specific account by providing my username and password.
I can then extract the testimonials from my profile and display them on my website.
Is this possible? And if so do you have any examples of how this can be achieved?
After thinking about this for a considerable amount of time I realised that the answer is quite simple.
If you make the API call on the server side you can specify the credentials. For example in an MVC application you might make the call on the controller action method.
If you want to allow users to login using LinkedIn you should first create an app in LinkedIn from the below link
https://www.linkedin.com/developer/apps.
Then Add LinkedIn login button from this Url
https://developer.linkedin.com/docs/signin-with-linkedin
Below is the link you will find the complete solution.
http://www.c-sharpcorner.com/UploadFile/145c93/sign-up-users-using-linkedin-and-save-users-detail/
I am not promoting the article, just providing the link where you will get the complete solution.
I want to check whether a user has any notification of facebook or not.. to do that I thought of curl, but the user have to put his login detail. I wonder is there any better way to do it? The weak point of curl method is that the users will receive warning email because someone loggin from different locality.
Facebook has a security witch prevent you to access the site by cURL.
You better create a facebook application, by using the notification API : https://developers.facebook.com/docs/graph-api/reference/user/notifications
I want users to be able to register on my mobile (web based) app and login using their Facebook account. Is this possible using the JavaScript API?
The user can login using Facebook, and the userID and auth code of that user can be sent to my server to create the account, but I see a security flaw because then anyone could then log in as anyone by sending a userID and their own auth code. So can user accounts not be done with the JavaScript API and only with a server side API?
All Facebook requests are also signed with a secret key that belongs to the app you've registered to handle Facebook sign-ups on your website, so you can use that to verify it comes from Facebook and not someone else.
This is also outlined in the registration documentation
Strictly speaking, it is not possible for the Facebook SDKs to explicitly create a new user. However, when you implement a 'Login with Facebook' button (see here for JS and here for PHP), Facebook's OAuth dialog appears, which will prompt the user to log in (if they are not already) or to sign up with Facebook, thereby creating a new account, albeit not under your control.
Is it possible to access public Facebook information, such as user's name, without using Facebook Connect?
I've been reading the docs on http://developers.facebook.com/docs/reference/javascript/
and they have mentioned "public" information and "private" information.
It is still unclear to me if any attempt to access the visitor's facebook information requires Facebook Fonnect first.
I'm assuming the user must go through the Facebook Connect process before any data may be accessed.
Yes and no. If you are a first timer accessing Facebook, then you have to go through FBConnect. And then if you have opted for extended permission offline_access your access token will never expire and you can use that token to access the facebook info without FBConnect
You can access a users public information via the graph api without an access token if you know their user id or user name. For example these will return info:
http://graph.facebook.com/4
http://graph.facebook.com/zuck
The problem though is that without having an instant personalization deal signed with Facebook, you won't be able to tell who the current user until they authenticate with your application.