I am using sdk that facebook provides(in java-script), to add login option in my site with facebook. I succeed to do this on client side, but I want to identify this user on server side without php-sdk.
So I need from client side send a request to server, that will prove that (for example) user with ID 1234 in Facebook, indeed logged in to my site. I don't want to use php-sdk, because it's the only time I will use it, so it's seems to me a waste to load all the sdk just for that.
Related
I'm developing a webextension which connects to an online database (firebase).
The login process is handled in the popup, currently this gives me a username and password (raw text).
In the contentscript, I need to communicate with the database. To do this, the database handle needs to be authenticated.
Currently, I'm planning to send the credentials from my popup to the background script and to use that to distribute login credentials to the contentscripts.
This would be done via browser.runtime.sendMessage and tabs.sendMessage. Is that a bad idea ? The docs don't talk about their security.
Which is a common way to implement oauth2 auth on the angular-based single page application?
Is it possible to implement it without page reload? If not - what is a best way to transfer auth data back to angular code from the page?
The authorization server must provide an api to authenticate user and return access token without redirecting. I will take facebook as authorization server and resource server in this example for easier understanding. The flow is like this:
Your user clicks on a button on the page.
Since this is SPA built with angularjs, the browser sends an ajax to
your server to get data.
On server side, you find out that this action requires data from
resource server (facebook), instead of redirecting the browser
to resource server as we usually do, the server sends a response
with a custom status (or any information indicating that this action
needs an access token) to the browser.
On browser, when you receive response from server in your ajax
success callback function. You can check the response and find out
that this action needs an access token
The browser first tries to get this access token from resource server
(if the user is already logged in). When working with facebook using
FB javascript SDK, we usually use FB.getLoginStatus function.
a. If we can get the access token in the success callback (the user is
already logged in), just send this access token to server to get
data (using ajax).
b. If the user is not logged in yet, use javascript
to prompt the user to login by rendering a login button and the user has to click on it. When working with facebook using FB
javascript SDK, we usually use FB.login function when user clicks on the login button. After
successful login, we will receive the access token in the success
callback and just send it to server to get the response (using
ajax).
There is no page reload because all actions are done with ajax (without browser's redirects)
I'm using in my website the possibility to login with facebook. Is only the use of javascript facebook api enough to guarantee that no security break could be attempt from client side in order to authenticate as a different user?
When a user clicks on your Facebook connect button they are authenticating against Facebook's table of users. If Facebook returns them back to your site they will come with an access token. On your server, you should be preforming an HTTP GET against the following URL:
"https://graph.facebook.com/me?access_token="+token
If the access token was issued in the last (I think) 20 minutes then it will authorize you to fetch a JSON containing things like their name, email address (if they authorized that information) etc. You don't need to ask the user to type their email address on your site because that information isn't coming from the user it's coming from Facebook's servers.
I have an application that uses backbone.js on the front end. So I had a question of how does it handle the user session? Everytime i send a GET,PUT,POST request, the user has to be authenticated else I get a error from the server side. Hence I used the Backbone.basicauth.js plugin which enables the basic authentication before any requests are sent across the server. I just need to call Backbone.BasicAuth.set('username', 'password');
But the problem here is that I need to hardcode my username and password everytime. So I wanted to know a way where in I can dynamically do that or a way in which I can track if a user is already logged in or i need to redirect him to a login page.
What if the user enters a random url instead of the home page, how will I track if he is logged in or not and how will I save the session?
At www.TheLadders.com we use form authentication and then drop a cookie with an encrypted token which we use to authenticate subsequent requests. We like it better than a traditional server side session approach because we can run all our servers stateless.
I remember all the stuff from the signed request for canvas apps: http://developers.facebook.com/docs/authentication/signed_request/
Now I'm using the JS SDK (FB.login() method), which already gives you the auth token et al. as well as a signed request. Instead of the info that a canvas app's signed request gets, I get just:
{"algorithm"=>"HMAC-SHA256", "code"=>"2.AQAdX5Zl5gY-Z_D7.3600.1322193600.1-XXXXX|HmarTBK09MSiB0o76cLgaTUd4y4", "issued_at"=>1322188281, "user_id"=>"XXXXXX"}
So what confuses me is: what's the point of the JS SDK's signed_request? I already have all the info I need from just the login reply.
when your app user comes to your https://apps.facebook.com/myapp he comes with signed_request.
Then you serve your user to your landing page. In that landing page fb jsdk loads and writes to cookies to browser.
Then when user comes to your server he comes with these cookies. So writing cookies are not your job but fb jsdk's job.
Then your server reads those cookies and process further actions.
Additional info
While surfing at github, I found
This client library is designed to support the Facebook Graph API and
the official Facebook JavaScript SDK, which is the canonical way to
implement Facebook authentication.
and
If you are using the module within a web application with the
JavaScript SDK, you can also use the module to use Facebook for login,
parsing the cookie set by the JavaScript SDK for logged in users
Taken from here.
There can be extra information provided in signed_request that isn't provided in the login response.
For example, if you need to check if a user is a fan of the page housing the app, this information is provided in signed_request. This can be injected into the page at load time by the server if the user is authenticated at that point, however if you are using an ajax authentication and signed_request were not provided in the login response, you wouldn't be able to check the fan status.