I have an webapp which has a facebook log in and once a user logs in I store the user's access token in my db. I also have subscribed for user feed using realtime api. So when ever user adds a status or comments I would get callback from fb. This would just tell me that there is a change(I don't get the id of the comment or status). So I have to query the graph api with the stored access token to get the feed and see what are the things that are updated. So if I see that there is a new comment after the last query I had made, I would process it.
Is there any way to get the id of the comment or status that was made
by the user?
And I the access token that I get expires in an hour. So I can't query for data when there is a user update callback after an hour. I also can't ask the user to go to my app again and re authorize, since he won't use that app after log in(I just need him to log in to my webapp so that I can get his access token).
Is there any way to get the access token without the user having to
go through the authorization phase again(This is because user won't
come to my app again after he logs in, we just poll for his fb
activities)?
Thanks
Related
We are trying to implement Oauth2 on our app, in our App we are login using Sign In with Google, and this returns a lot of stuff like : UID, ACCESS_TOKEN, REFRESH_TOKEN, etc.. we are thinking to send from APP to server-side the UID and store it to DB linked with user like if it was its password.
From server side we want to on each call for instance : get_products, we are thinking to use an access_token but we don't know if it's the UID from user itself or we have to create another access_token with its refres_token with expiration time. So we have one UID from user and another access_token and refresh_token from oauth.
I'm not sure about the value you refer by UID. May be it's something that I haven't come across before.
But if it stands for USER IDENTIFIER, then you should not use it to identify the end user and maintain a session. UID could be a public identifier so anyone who knows will be able to communicate to your server. Also, think about user login through multiple devices. Your server won't be able to identify the correct session.
User access_token to initiate a session. In your server, use user-information endpoint to obtain validity details and end user information. Alternatively you may choose OpenID Connect.
The questions is pretty simple.I am also a novice regarding token authentication.
I know that, in case of token authentication, in case of android apps, token is used so that the user credentials does not remain in the app.i.e. whenever the user fetches data from server, it does not send the user credentials everytime but he sends token.
When the user signs in for the first time, from the app, a token is generated from the server and is "entried" in the database beside the user data.This token is send back to the app from the server and it is this token that the user, from the app, has to send everytime it plans to fetch some data from the server.When the user has to fetch data, it sends the required parameters and with them the token.This token is matched with all the tokens present in the database.If the token is present,it also gets the user associated with that token.And as the token is present so the user session is valid and then the required data from the server is send back to the android app.
What i want to know is that what to do with the token, in both client and server side, when the user logs out?
If any doubt please comment.I know its a simple question but dont know much about token authentication.Thanks everyone for their time.
Note:- Also if any of my concepts, in the question, is wrong please feel free to correct me.
Basically all tokens have an expiry. This is intended for security purposes. But you can choose whether to set an expiry for your token. But I suggest that you must put an expiry for your token. And also delete that tokens from both server and client, and set user session to login again. Use timestamps to create the tokens. They are also useful when comparing tokens.
Happy Coding.... :-)
I have an application which syncs user data from source to destination.
Current Use case: Sync Facebook photo to dropbox.
I have implemented following steps to retrieve user photos:
Take user access token; then exchange it with extended access token.
Save the extended access token to DB.
Poll to Facebook on Timeline Photo album with the help of extended access token and using lastSync check to check if new photo is present.
If there are any new photos available, then get those photos and upload them to user's Dropbox account folder (assuming that we have Oauth permissions for user's Dropbox account). Finally update lastsync in DB as currect timestamp.
My new use case is to get Facebook posts/photos with criteria like if n number of comments are posted to a photo/post; then retrieve it and sync it to Dropbox. In this case; it can be a old post or photo too.
I tried it with Real-Time update subscription but it didn't helped me much.
Any help on the above use case will be very helpful.
BTW, I am using Restfb.
Hi am regarding facebook php server side login..
http://developers.facebook.com/docs/authentication/server-side/
in that
$code = $_REQUEST["code"];
what is the meaning of this..., what is this code ?
Once the user has authorized your app, you should make a server side
request to exchange the code returned above for a user access token.
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&redirect_uri=YOUR_REDIRECT_URI
&client_secret=YOUR_APP_SECRET
&code=CODE_GENERATED_BY_FACEBOOK
Note the "CODE_GENERATED_BY_FACEBOOK" comment.
$_REQUEST['code'] is most likely a token that guards against CSRF. Facebook will create this and give it to your application via $_REQUEST['code'] (could be a POST, GET or whatever).
If you're not sure what $_REQUEST is, you should read the PHP manual entry for it.
$code is like authorization token that you exchange for an access token that you will use later to make calls to facebook api. The part you're looking at handles redirect from facebook after user logged in to facebook and authorized your application to access their information. at this point facebook redirects user back to your site and passes code as a get parameter and that line grabs that code from $_REQUEST, which in this context is the same as $_GET['code']
I'm trying to get friends count via my account using Facebook API. Its working well.
But if i get friends count using one of my friendId, i'm getting the following exception
Tests in error: friendsCount(com.company.facebook.test.FbClientTest):
Received Facebook error response of type OAuthException: (#604) Can't
lookup all friends of 649390517. Can only lookup for the logged in
user or the logged in user's friends that are users of your app.
That error message seems pretty clear, you can't access friends-of-friends via the API unless the other friend also uses your app.
You can however check for mutual friends between your app's user and any arbitrary user ID.
To do that, make an API call to
/USER_ID/mutualfriends/OTHER_USER_ID
Where USER_ID is the user who's authorised your app, and OTHER_USER_ID is the user you want to check for mutual friends with.