I am using facebook koala gem in RoR. I just want to use it to search events and places. So I do not need any authentication for any user. I simply want to just use an access token to fire the search API. But the access token I'm using is from the Graph API explorer, so it expires after a certain period of time. I want to use an access token for life long and if not then wanted a way to refresh the expired access token in Koala Gem.
Related
I have Rails 5 app. As for the frontend we use Vue js. So it is closed app for only authorised google users. How it works now:
Vue calls Google and authenticates user, after that it send the payload to rails server. I use google-oauth gem, so I can see token, expiration date, id_token as well as refresh_token for the first time. I check against my database if we do have same user by it's email as google provided. And if yes I create a JWT token that I send back to frontend with expiration date for 1 day. The token is saved in cookies.
Every time API call is made to backend the jwt token is provided and I check again against user if it still exist on my database.
The problem is that is not a good UX for users to log in everyday again and again. I would like to refresh user, but I do not save any tokens from google in my db. Should I use that?
Do I need to do additional calls to google from server side maybe?
Did anyone implemented anything on their projects like this? How does sign in authentication works with google and do I need to do calls to google everytime?
I don't have Redis on my server as it is not possible to get it installed, so I can't use jwt sessions gem.
So I read the following on the Authorizing Requests to the Google Calendar API page written by Google folks.
Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.
My knowledge of OAuth 2.0 is limited so I'm not sure if that means that I cannot get a one-time auth token for a user?
I'm building an app that will need to CRUD events for a user in the background based on other stuff. So I can't have the user authenticate over and over again. Is there a way around here?
If not, is there an Google Calendar alternative that has a dependable API that I could use?
When the user authenticates your application you are given an Access token (good for one hour) and a refresh token. You should save the refresh token, when ever you need to access the users data you can take the refresh token and ask Google to give you a new access token. It is the access token which gives you access to there account.
I wrote a tutorial that tries to explain Oauth2 how to set it up and how it works. Google Developer console Oauth2
I have a rails application which can post embeds of public facebook videos. In order to properly credit the videos i retrieve video owner via a graph api call like
https://graph.facebook.com/{video_id}?access_token={facebook_user_access_token}
which works fine. The issue is with oauth and long-term tokens. I know I can exchange a short term token for a 60 day token,
https://graph.facebook.com/oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
but the issue is generating the short term token. Is there a way to generate a short term token just on the server-side via the api. I will only ever want to oauth one user in order to access the graph api. But all the oauth flows require a facebook dialog login, which won't support me just on the server side. At this stage I am thinking of simply updating the token manually every 60 days so any ideas or help is welcome.
Have you thought about using the Koala gem?
And there is another SO thread - Renew Facebook access token with Koala that explains how to generate the short term token with koala
I've been struggling through Facebook authentication for a canvas app for a while. My approach is as follows:
Check the user's session for an access token.
Check the user's Facebook cookies for an access token.
Check the parameters for a signed_request.
If an access token is found during any of those 3 steps:
I make a call to the graph API requesting the /me resource.
If the call is successful, the user is logged in.
If the call fails (causes an OAuthException), I request a new access token by redirecting the user to the Facebook OAuth endpoint to obtain a code, then obtaining a fresh access token by exchanging that code.
If no access token is found in the session, cookies, or signed_request, I display a landing page.
Is this the correct procedure? I've noticed that oftentimes there is no signed_request present in the parameters if the user's access token has expired. The method Facebook endorses for requesting a fresh access token results in 2 user-facing redirects as well as an API exchange, which seems a bit heavy.
The setup I'm working in is:
Rails v3.0.8
Koala gem v1.2.1
I've followed these guides:
https://github.com/arsduo/koala/wiki/OAuth
https://github.com/arsduo/koala/wiki/Koala-on-Rails
https://developers.facebook.com/blog/post/500/
Have you considered using Omniauth? (https://github.com/intridea/omniauth) It wraps up all this stuff and lets you easily extend to other sites as well.
Note on Facebook’s secure cookie format
In their new secure cookie format, Facebook provides an OAuth code, which Koala
automatically exchanges for an access token. Because this involves
a call to Facebook’s
servers, you should consider storing the user’s access token in their
session and only
calling get_user_info_from_cookies when necessary (access_token not present, you discover
it’s expired, etc.). Otherwise, you’ll be calling out to Facebook
each time the user loads a
page, slowing down your site. (As we figure out best practices for this, we’ll update this
wiki.)
Let me get this straight: even if I use the Javascript SDK to parse
the cookies I still need to do a server-to-server call to facebook? Doesn't this make the whole java script SDK for user authentication kind of useless? I always need to check the cookies (so I won't have a stale access token) thus calling facebook every time?
What this quote is talking about is lightening the load on Ruby by not re-validating the OAuth token with a key exchange btwn Ruby and FB every call.
So, you can save the token in session/db/your own cookie/etc. or you can have FB's JS SDK revalidate it and pass it to you as part of your request.