I would like to let users login to my site using Facebook and I want to obtain a token from FB when the following properties:
For a given user, the token is always the same when they log in with facebok
The token is unique to my app. That is if that user logs into some other app with facebook they aren't given the same token.
Does FB provide anything like this? As far as I can tell the user id that the facebook api returns is the same for all applications.
I know that I could achieve #2 by sending the FB userID up to a server and hashing it with some secret key but I'm trying to make a purely client side application.
Facebook provides a field third_party_id (see: https://developers.facebook.com/docs/reference/api/user/), that is unique to your app.
It’s main purpose is to be used to identify a user without violating their privacy, f.e. when you would have to pass a user id around as a parameter in a public URL or something.
If you ever need to “translate it back”, you can use it to look the user up via the FQL user table (with an access token for your app only, of course).
Related
If I go to the Graph API Explorer, get a User Access Token, and then go to /<page-id>/live_videos I can return a list of live videos from that page, including the status (VOD aka past, or LIVE) and the embed_html.
This is great but the problem is this User Access Token will expire. I want to be able to get this data as part of my website to show visitors whether we are live or not, and if so give them an option to open the video right there on the site. It shouldn't be something a user has to login in to allow my app to access FB on their behalf.
So I tried using an App Access Token which I got by using the App ID and App Secret of my page's 'Facebook App' as described in the Facebook docs here... but the Token that I get from this does not work; it tells me A user access token is required to request this resource.
Why must I get a User Access Token when it's my App (aka my website) that wants the data?
Honestly I didn't think it would be hard to get this information since it is a completely public page; I would have guessed you don't even need to authenticate, but probably just some need sort of identifying token for your app for rate limiting, etc. Is there any method like that?
I am trying to create a login with facebook using javascript for a chrome extension that will return some data from the server.
I am currently able to login without issues with google and facebook. Google is returning the email address and an unique ID that only applies to my app so I can use that ID to login into my server together with the email address provided.
Facebook returns the real user ID and the email address, meaning that anyone that has access to facebook can find that ID and if they know the email address they will be able to login.
As I do not want to ask the user to login every time that they restart the browser or every few days, what is the best way to get a unique constant secure ID from facebook that is unique to my application?
Naturally if I make it unique in the extension it would not really be beneficial because anyone can read the extension code and then figure out how to get someone else unique ID from their user ID.
The authorization code that Facebook sends is not constant, so I would not be able to send it to the server to authenticate someone.
"Facebook returns the real user ID" - wrong, the api only returns an App Scoped ID. And no one except for the user himself will be able to login. Just use the App Scoped ID, that´s how you identify users in your App. Btw, user IDs are not really something you need to keep secret. Access Tokens are.
I have a simple web service and I want to add social login with Facebook and Google using Loopbackjs.
I've already done parts of this editing the example found at this link: https://github.com/strongloop/loopback-example-passport and following the instructions at this one: https://docs.strongloop.com/display/public/LB/Third-party+login+using+Passport.
My problem now is that I need to retrieve user information after login, so that every following editing request on the User model can be direct to the owning User entity.
e.g. The User X want to access to my application:
X request for "example_site_address/auth/facebook";
X will redirect to "www.facebook.com/dialog/oauth?response_type=code&redirect_uri=example_site_address/auth/facebook/callback&scope=email&client_id=XXXXXXX";
After his acceptation, he will redirect to "example_site_address/auth/facebook/callback&scope=email&client_id=XXXXXXX";
Then he will again redirect to "example_site_address/success_fb", this link should give to the client the User entity with which he is logged in.
Using Google this problem is solved because I could retrieve AccessToken information from the cookies, find the User who's owning that, and then send back it to the client, so he can store the UserId and every a following request could be like on this User.
Using Facebook I'm not able to do this, because cookies concern login are encrypted.
I'm a really beginner on this kind of application, so it is possible that my strategy is wrong. Could you help me to do this?
LoopBack Example is using a cookie-parser package (see server/server.js). Cookies are signed but you have an access to them via req.signedCookies property.
I'm currently implementing the Javascript Facebook login API.
Based on the callback response from Facebook, this client side script then sends a request with query string parameters to a URL on our site. Based on the email in that URL, the client is authenticated.
This is not secure. No other token that we can verify against is returned from Facebook (as far as I know), and we are expected to log the user in based on an email in a query string parameter, and no password.
I'd like to add another query string parameter that gives us some sort of assurance that the query string data came from a JavaScript redirect following the response from Facebook.
I'm thinking that this should be some sort of hashed value created by a client script that I can compare against server side. However, every resource used to create this secret key would be available to an attacker, via client cookies or through inspecting the client script.
Is there a common and secure approach to this problem that I can use?
Facebook apparently uses OAuth. Without getting into too much details (which you could find in relevant OAuth and FB documentation), OAuth operates with a secret shared between your server and the service provider (Facebook, in this instance), which is never revealed to the frontend Javascript, and is used to confirm if the callback you receive is genuine.
Pass Facebook a unique callback URL each time you authenticate user.
This URL should contain some security token, which, if present, will identify the authenticity of the logon attempt.
You can add a state variable to your requests to Facebook. This will be returned to you by Facebook to validate your request.
https://developers.facebook.com/docs/reference/dialogs/oauth/
Is it possible to access public Facebook information, such as user's name, without using Facebook Connect?
I've been reading the docs on http://developers.facebook.com/docs/reference/javascript/
and they have mentioned "public" information and "private" information.
It is still unclear to me if any attempt to access the visitor's facebook information requires Facebook Fonnect first.
I'm assuming the user must go through the Facebook Connect process before any data may be accessed.
Yes and no. If you are a first timer accessing Facebook, then you have to go through FBConnect. And then if you have opted for extended permission offline_access your access token will never expire and you can use that token to access the facebook info without FBConnect
You can access a users public information via the graph api without an access token if you know their user id or user name. For example these will return info:
http://graph.facebook.com/4
http://graph.facebook.com/zuck
The problem though is that without having an instant personalization deal signed with Facebook, you won't be able to tell who the current user until they authenticate with your application.