Does anybody know what will happen to my existing users when I will change Facebook app ID in allauth (socialauth) configuration?
Will "login with FB" try to create new django accounts or will it just log users in to existing ones (and obviously, asking via FB for permission)?
I'm in a situation where I have large amount of users signed up using FB but now I'm forced to create new FB app and switching to it.
Have checked it out. The answer is yes, users will fall into the signup flow instead of being logged in.
It's because Facebook assigns app-scoped ID to users. An app doesn't know user's original ID, it gets user's ID generated especially for this app. For this reason django-allauth won't recognize existing FB users (from previous FB app).
Related
I'm having an iOS app, need Facebook login to share something to wall. Everything is ok until I received new feedback from customer. Let me describe this case.
Apple have integrated Facebook into iOS system, user just needs to login via Setting, it is so easy for user. But my customer does not want to do that, they want user to login Facebook inside app and use it instead of Facebook of iOS system. Problem is here, there is a case: user has already logged in Facebook account A via iOS system, then user opens app and login Facebook inside app with other Facebook account B. After that, user shares a picture. Requiment is this picture should be shared on wall of Facebook account B (of app), but this picture appeared on wall of Facebook account A(of iOS system).
I just wonder do we have any solutions to resolve this case? Please give me any ideas you all have in mind after reading.
Thanks,
Ryan
I faced the same problem with Facebook SDK whenever a user login from any app using Facebook it change userid returned with the token which leads to share on the latest opened account.
if you open Facebook from a browser you will get this message from Facebook " we got confused please re-login "
so i took the same approach i saved user-id User(A) and whenever user share i check id coming with token if it changed i show " Facebook account changed please relogin " & i log all users out.
check this link may be helpful: https://www.facebook.com/help/community/question/?id=10205949056147843
This is a very high level architectural question.
I want to use "Sign Up with Facebook" and "Log in with Facebook" in my iOS app.
Questions:
I find many tutorials for logging in with Facebook but I am not getting anything for Sign Up with Facebook, like a tutorial for "SignUp with Facebook".
How can I use Sign Up with Facebook in my app? As in, what will be the architecture? What do I need to send to my server? What I need to store about the user in my server's DB?
After checking Spotify's "SignUp with Facebook" my understanding is, when the user clicks on Sign up with Facebbok, he is still asked with Facebook login but the SignUp screen will get pre-filled with some basic information like phone, email, first and last name etc, which I can use on my app to sign up the user.
Next time when the user logs in using facebook I just validate if he has already signup or not
Am I thinking right? any corrections? feedback?
If you're using Facebook login for the sole purpose of it being an easy way to get your users to sign up/log in to your app, then your app will be rejected by Apple. You need to be using Facebook application features that go beyond just basic profile information and sharing.
I just went through this during the Apple App Store review process and think it's worth noting here. A little warning to those who think they will save time.
You will get the user's profile and info, plus a userId i think.
Then you can add the user's Facebook id as userID, Facebook email as username, and a very long pre-defined string as it's password.
This is totally secure as long as the very long pre-defined password is not public. Only your server (or your app) will have that and will put that as password when you log in.
The username will be the Facebook email, which is straight forward. And the userId in your database will be the Facebook id that you get from your login session.
All the data can be read from the FBSDKProfile, when login is successful.
Hope it helps :)
p.s. you can also use Digits by Twitter, it is an awesome SDK for signing in with phone verification.
I am adding Twitter and Facebook login to a MVC 3 test application using TweetSharp and Facebook C# SDK.
Currently when a user signs in using Twitter I create a user account for that user in a user table and store the id, token, and token secret in a separate table with a foreign key to the user table. Since the id, token and token secret do not expire I can quickly locate the right user account when the user logs in next time using Twitter.
What if the very same user logs in using Facebook next time? Since Twitter does not provide email in their API and I therefore have no common piece of information to tie a user account to either Twitter or Facebook I assume I have to create a new user account for a Facebook login? Does anyone have any experience with this? Are there any ways to solve this?
I identify each user internally with a unique key. I check cookies for the user key when any user hits the site. If there's no cookie I create a new key. add it to the user database and set a new cookie. Once a user completes registration the first time by logging in with any of Facebook, Twitter or .Net membership , that key is forever married to that user.
So when an existing Twitter user logs in for the first time with Facebook, we know who they are because their user key exists. It is basically the same solution as macou suggested. Macou's has the plus of working on a new machine or if cookies are cleared, the cookie solution has the plus of not requiring additional user input.
Not really a solution, more of a work around. I was faced with the same problem and ended up forcing the user to complete thier account profile by asking for their email address before allowing them to proceed any further. This meant that if the email address coming back with the Facebook auth matched the email address created with the twitter signin then I didn't need to create another account.
The bigger difficulty was coming the other way, if the account was created by the facebook auth first. It meant an untidy marry up of accounts.
To be honest the information we got from allowing users to sign in with twitter was not worth the effort and in the end finished up only allowing Facebook auths. I'm not sure how important twitter is to your solution.
Not the perfect answer I know, but I thought I would share my experience.
You can't use just a cookie because I can login as facebook then my wife login as twitter using the same browser, you shouldn't link the two accounts in this case.
I think you need to do more than that:
Use a cookie then
Use name/first name/login name/... to see if they match.
Example:
Cookie id: 18459439731114330636, find user with id = 18459439731114330636. Found, go to 2, not found, go to 3.
Is username/first name/last name/... matches the current user? if yes, link accounts. if not, go to 3.
Create a new user.
I have recently implemented login to my via facebook connect. So now users have 2 ways of logging in to the site. The old way of registering an account and the new way (facebook connect).
One thing I would like to do is link a new facebook connect user account to existing accounts if they logged in the old way.
Has anyone had any success doing this?
Very good question I think and lots of people will benefit from an answer.
What you need to remember is that accounts are only linked so long as they are authorised to be linked through Facebook. What you should do is maintain a second table of linked accounts in your database so that you know who is who and if they are linked with Facebook.
You should read this integration comment, it provides a lot of useful information.
http://crazyviraj.blogspot.com/2010/01/test-cases-for-basic-facebook-connect.html
It doesn't really say how to do things, but it makes sure you tick all the boxes of what you should be doing.
ie:
Sign Up should fail if the user denies
permission to the app (category: sign
up)
Since we need access to an email
address, Sign Up should fail if the
user provides publish permission but
denies email permission (category:
sign up)
If the user provides an email address
that already exists in your system,
fail Sign Up. Make sure no YouFace
backend tables are modified (category:
sign up, 1:1 mapping) PS - when this
happens, I didn't find a way for you
to de-authorize YouFace on the
Facebook user's behalf. The user must
manually do this if they wish you use
the same account but provide a
different email address.
Accounts created using Facebook
Connect should not be able to login
using YouFace's default email/password
login system (category: sign in,
account security). PS: Since YouFace
accounts require a password and those
created using Facebook Connect don't,
make sure to insert a random password
hash into your table to avoid silly
errors
Accounts created using YouFace should
be able to sign in without requiring
to be signed into Facebook, even if
when a link to a Facebook accounts
exists (category: sign in)
Any many more
You should be asking for permanent access through fb connect authentication. Once you've done that, you'll get a token which gives your permission to access someone's Facebook information, and that token will not expire unless the user explicitly removes you from the permission list or changes his/her password.
Once you have the token, associate that token with the user / create a new field in your user table to store it.
To associate the user with a Facebook account without the user logging in, you can try to match by email. It's not 100% accurate but it's pretty good. Facebook doesn't give you email addresses in text form but you can get email hashes from FQL. Since you already know user email addresses, you can calculate the hash for all of your user emails and search through your user base for matches every time a new Facebook Connect user signs up.
I have a facebook fbml app and a web application. I want my web application users to be able to add my facebook app. Seems simple, right?
Currently, I am making the connection by adding a param to the canvas page link in my site. For example, I have a link that says "add our fbook application" which links to http://apps.facebook.com/our_fbook_application?suid=786432878923
suid is the logged in user's uid on my site. Adding this to the canvas link params allows me to connect their site uid to their fbook uid on my site. This way when requests come in from facebook, I can authenticate them based on solely the fbook uid after the connection is made.
This seems like a security issue. I think an attacker could log into their facebook account and guess user id's by calling http://apps.facebook.com/our_fbook_application?suid=x and when x corresponded to a suid on my site, he would be authenticated to see that user's data.
This connecting of a facebook app user to a website user seems like it should be really common practice, but all I can find these days is facebook connect examples which I am not supporting yet.
Can someone walk me through the steps to connect a facebook app user to my website user? Major bonus points if someone can do it in Rails with the facebooker gem.
Thanks!
don't pass the suid as a variable.
Instead, on your backend, associate the FB uid with the suid.
When the user accesses the app via website, he/she will have to log in (maybe through fb connect?).
When the user accesses the app via FB, your page should be able to determine the fbuid of the user and map that to the correct suid and log the user into your site.