My quick investigations appear to suggest that FB has deprecated all auth mechanisms while leaving their custom oauth implementation.
Can someone comment or clarify this statement ?
Why ?
I want users to authenticate against my app and not FB
At some later stage i wish to grab some assets from FB such as the current users photo etc.
You will need at least once to let them authenticate with the facebook ID and authorize your app. From that moment, you will receive an access_token in the JSON response that will allow you to perform operations for your user.
There are two types of access tokens:
Session based: expires in a short term, are used when the user will be logged to FB every time you need to perform an operation.
Offline access: do not expire and allow the app to perform operations for the user in any moment. This requires the offline_access permission when the app is authorized.
Check here: http://developers.facebook.com/docs/authentication/ for the oauth mechanism and here: http://developers.facebook.com/docs/authentication/permissions/ for the permissions list.
Related
I work on application, which try to get and parse information from site was named "Super-site" for instance. Access to data I needed is restricted and is necessary user authentication. I cannot ask user to send login\password from super-site, but Super-site have possibility authentication across social-auth (twitter). I can get access token from twitter, but I am unable to understand how to auth on Super-site using twitter access-token?
You will use the 3-legged OAuth with Twitter. Here is the link from Twitter that gives you steps. How you do this is by logging to your twitter account on developer.twitter.com, from Twitter Application Dashboard click on the Twitter App to create a Access Token and Access Token Secret. Your user accessing the Super-site will be prompted to authorize access to the Application, user grants access (clicks Yes) and finally your Super-site collects the OAuth token (user need not send username/password) and accesses the site.
Your super site must use oauth flow.
Every api should have oauth authentication and it is done at server end.
https://blog.restcase.com/4-most-used-rest-api-authentication-methods/
If they have twitter you can use twitter auth flow. They have to write code to understand twitter user account linking and authorization. So you login as a twitter user if thatuser is found in database you receive token and you can call api based on twitter user authorization.
The previous versions of this spec, OAuth 1.0 and 1.0a, were much more complicated than OAuth 2.0. The biggest change in the latest version is that it’s no longer required to sign each call with a keyed hash. The most common implementations of OAuth use one or both of these tokens instead:
access token: sent like an API key, it allows the application to access a user’s data; optionally, access tokens can expire.
refresh token: optionally part of an OAuth flow, refresh tokens retrieve a new access token if they have expired. OAuth2 combines Authentication and Authorization to allow more sophisticated scope and validity control.
OAuth 2.0 is the best choice for identifying personal user accounts and granting proper permissions. In this method, the user logs into a system. That system will then request authentication, usually in the form of a token. The user will then forward this request to an authentication server, which will either reject or allow this authentication. From here, the token is provided to the user, and then to the requester. Such a token can then be checked at any time independently of the user by the requester for validation and can be used over time with strictly limited scope and age of validity.
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/twitter-logins?view=aspnetcore-3.1
I am reading lot of cognito documentation but the thing which is confusing is the limited documentation for build Hybrid applications(cordova mobile app).
This is my understanding so far:
I can develop my own sign-in and signup screens but use the cognito user pools as a backend authentication datastore.
or I can simply plug Cognito hosted webUI for sign-in, sign up.
1) If I have to use my own, I would have to use the Amazon cog SDK API to authenticate a user, validate email during signup etc .
2) If I need to use the hosted pages from amazon, I would need to configure it to redirect to my applications homepage.
probably follow this link -->> ?
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-configuring-app-integration.html
Once the user is authenticated ,I would need to create session for logged-in user, decrypt the token which is a JWT to fetch all details about the user like user_name, etc & then tie this user to the same session.
When the user clicks on any other link in my web application, my authentication filter will need to check if the current session had any valid token and validate it. Question is how do I validate that the token in the cookie is the one which is valid and not expired. which API can be used to check if the token is a valid token.Would I need to go to cognito eveytime?
You would have to use Cognito SDKs to validate the token before you serve your resources. The SDK methods to verify the token will ensure that the token has not expired, the user belongs to the app, and to the specific user pool that is allowed access to your resources.
You can find more here - https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
Imagine you've to implement following user story:
"User should be able to publish message on social media(facebook/twitter/etc) using simple web form and one-click button[without need to login in fb/twitter/etc]."
In general, authentication in social networks is based on OAuth 2.0. Facebook distinguish three types of access tokens:
User access token
App access token
Page access token
I've tried first option with facebook4j, and it's working - however, we are supposed to supply token each time, we want to use it. I've found long-lived tokens, but their validity is also limited - 60 days.
Generating app access tokens is very simple, but I haven't succeed in publishing any post. From facebook docs:
App access tokens can also be used to publish content to Facebook on
behalf of a person who has granted an open graph publishing permission
to your application.
Page access tokens - I haven't tried. Is it possible to publish message on fb/twitter simultaneously, without login, of course, to predefined destination(fb wall)? If so, please provide me with any working example :)
Thanks in advance
I'm building an application that needs to query and fetch the Facebook public feed every hour or so. I only need read access to the public feed. I can make the query using the Access Token generated on the Graph Explorer page but that token expires after an hour or so. I know there is a way to get a 60 days token and use that, but that requires updating the token every 60 days.
Whats the correct way of doing this? All the material I have found so far assumes a front end application that needs a user's login authentication.
You can't get offline access token for facebook (unlike google).
You can get access token for 60 days, and when user asks for page that requires authentication, redirect him to login page.
In playframework you can do this with securesocial module (and i am sure there is social module for whatever server you choose to use).
Alternatively, you can extend the short-lived access token.
I am unsure of the technical details of how to do this, only that it is possible.
Maybe this link can help you:
Facebook full permission AccessToken alternative to Offline access token
I need to make a simple query SELECT url FROM url_like WHERE user_id={friendId} in my Facebook app that I build with help of Spring Social. To do this I use authentication code provided by this library. The authentication works fine. But the query mentioned above returns an empty array. I would like to emphasizes that all the needed permissions are given (user_likes and friend_likes). However similar access token given to me by facebook graph explorer works perfectly.
Access token debugger from Facebook says that both tokens are valid and have needed permissions. The only difference in the duration of token validity: my app gives token that expires in 2 months and Graph Api gives for an hour.
What is the reason of this strange behaviour? Why token given by my app with needed permissions is unable to make this query. How to fix this issue? Thank you in advance.
UPDATE
Ok, it seems that Facebook gives access token for application that is different from access token of a user. So now the question is how to get user's access token with Spring Social Facebook?
You need to submit a post request to spring social ConnectController for the specific provider e.g. http://wwww.yourdomain:8089/connect/facebook. Spring social then will redirect the user to facebook authorization page where the user will grant your app with the asked permissions and send back a code to your server. Spring social then will exchange that code for an access token. You need to establish a connection for that user to be able to perform requests against FB on his/her behalf. Here is a doc page that might help http://static.springsource.org/spring-social/docs/1.0.0.M2/reference/html/connecting.html