I have a Mvc-facebook Application. I have configured my Facebook-Sample app in the Facebook Site.
Purpose of Sample Facebook App
Whenever I make some change in the first Name. Facebook should send the changes to my Web-Server in the form of JSon.
I have successfully configured the Subscription.
Facebook sent the token. Matched it with my code and my code sent the same token to Facebook. It's very good so far.
Issues 1 - In my Web-Server, I have Fiddler installed. When Facebook sends token to my Web-Server IIS, Fiddler is not showing the request.
Issue 2 - when I made some changes in my First Name, Facebook is not sending the data to my Web Server.
Please tell me what is missing in these issues.
Code
[HttpGet]
[FacebookSubscriptionVerify("MyToken")]
public void Verify(FacebookClient fb)
{
Response.Write(fb.AccessToken);
var verifiedResult = new FacebookSubscriptionVerifiedResult();
verifiedResult.ExecuteResult(ControllerContext);
}
[HttpPost]
[FacebookSubscriptionReceived]
[ActionName("Verify")]
public void ReceiveUserUpdates(object subscription)
{
}
In my Web-Server, I have Fiddler installed. When Facebook sends token to my Web-Server IIS, Fiddler is not showing the request.
Well, that does not sound as if your debugging/monitoring was successful, does it? You say before, that Facebook has actually sent you the token.
Find other means of debugging, f.e. have a look into the server’s access log.
when I made some changes in my First Name, Facebook is not sending the data to my Web Server.
If you deduce that the same way as you did above, then you probably deduced wrong …?
Be aware, that the POST requests Facebook sends for Realtime Updates are not in the “normal” format you would expect from f.e. an HTML form post, that means not as Content-Type: application/x-www-form-urlencoded.
Use wireshark to check what is sent, that will give you a correct view. Just capture everything and check http protocol.
Related
I am facing an issue regarding account linking in Actions on Google:
I am able to authenticate the user and access his email address and username however after this how can I redirect the user back to the google assistant and close the browser where he was authenticated?
Any help will be appreciated!
Update: Hey Prisoner thanks a lot for that.
I did what you said and yeah now it does redirect to google.com but without result_code=SUCCESS when I test it in the simulator.
The link is:
https://www.google.co.in/?gws_rd=cr&dcr=0&ei=z77fWbjQGIXxvATs_oqwBA
Now if I type talk to... again it shows me the message you need to link your account!
In the device the browser automatically closes and it shows SIGNING_IN however when I type an intent it is not recognized.
It would be great if you could point me in the right direction! (I am not sure but I might be at the token exchange stage that you mentioned, but I don't have a clue how to proceed!)
Update 2: As requested the entire flow that I am following:
This is the URL that I receive from debugInfo:
https://assistant.google.com/services/auth/handoffs/auth/start?account_name=cha***#gmail.com&provider=***_dev&scopes=email&return_url=https://www.google.com/
When I paste this in the browser the request that I receive at the authorization endpoint is:
ImmutableMultiDict([
('response_type', 'code'),
('client_id', ****.apps.googleusercontent.com'),
('redirect_uri', 'https://oauth-redirect.googleusercontent.com/r/****'),
('scope', 'email'),
('state', ' CtcCQUxWM2ROU3hNMjl4LUItVXhQSGd4THRMLU4yNExnb3lYbGRKQnQwa3NwTVFva19NUWpYNE5jNGJURzIyZFN3RDBXd2d4enFGVWJGb0Q0ZW1vaS1OaFdkaHdhb05HZ2xlWTR6SllKVlRWYktwd09faklyUTVheFhQbGw2dmVKYzVFTk05N3B1QkxaZG41RVdHN0wyTktvRFdCYzFPVFBzM1dQUlFtN2RmM1VtRU4****(state)')
])
The response (redirect_url) that I send back:
https://accounts.google.com/o/oauth2/v2/auth?scope=email&response_type=code&redirect_uri=https%3A%2F%2F******.herokuapp.com%2Fcallback%2Fgoogle&client_id=****.apps.googleusercontent.com
When it reaches my endpoint again the request arguments are:
ImmutableMultiDict([
('code', '4/***********')
])
Now I am able to access the email address and other details
The url that I redirect to from here:
https://oauth-redirect.googleusercontent.com/r/****?code=abcdefgh&state=CtcCQUxWM2ROU3hNMjl4LUItVXhQSGd4THRMLU4yNExnb3lYbGRKQnQwa3NwTVFva19NUWpYNE5jNGJURzIyZFN3RDBXd2d4enFGVWJGb0Q0ZW1vaS1OaFdkaHdhb05HZ2xlWTR6SllKVlRWYktwd09faklyUTVheFhQbGw2dmVKYzVFTk05N3B1QkxaZG41RVdHN0wyTktvRFdCYzFPVFBzM1dQUlFtN2RmM1VtRU4****(state)
This redirects me to :
https://www.google.co.in/?gws_rd=cr&dcr=0&ei=5c_fWdfKNYndvASO7o6ACA
Edit 3: I checked the network logs:
result_code=FAILURE&result_message=Account+linking+failed
I also added /token/google as the token URL in AoG. It is detected in heroku however I never receive this request in my code.
Note: I am using python flask and hosting my app on heroku
Once you have authenticated the user, you'll need to return a temporary auth code back to Google. Later, Google will exchange this auth code for an access token and a refresh token, but you're not there yet. The important part is that this code needs to be unique and that, later, you'll be able to recognize what user it is for. The code should be valid for a limited time - 10 minutes is a generally accepted time frame.
In the request Google sent to you as part of the login, they've provided a redirect_uri and a state as parameters. You'll need to use these in your reply. (state can be anything - you shouldn't care what it is, you're just going to send it back with your redirect. Its purpose is to improve security by preventing replay attacks.)
Verify that the redirect_uri has the form
https://oauth-redirect.googleusercontent.com/r/YOUR_PROJECT_ID
Where YOUR_PROJECT_ID is... you guessed it, the ID of your project. You can find this in the cloud console.
You'll then redirect the user to this URL with a few additional parameters:
https://oauth-redirect.googleusercontent.com/r/YOUR_PROJECT_ID?code=AUTHORIZATION_CODE&state=STATE_STRING
Where YOUR_PROJECT_ID is as noted above, AUTHORIZATION_CODE is the code you've generated, and STATE_STRING is the value of the state parameter that you were sent in the request.
For details, you can see https://developers.google.com/actions/identity/oauth2-code-flow#handle_user_sign-in
I am working on an app which needs the authentication. The backend is built with Flask python, and I am using POST request with a JSON to send the username and password. There are two questions I have actually.
First one, is it unsafe to authenticate with POST and JSON?
Second one, how can I keep the status of log in. I mean, like Facebook App, once user logged in, they don't have to input the password again even the app is restarted.
There is nothing wrong with sending your auth credentials with POST, in fact, that's what you should be doing, never send these information via GET
As for how to keep the status, check out Documentation on the class to store your cookies, then check if they exist.
Also, I assume you know the HTTP status code as well? Just to give you more info, just because your cookies exists doesn't mean the user is also logged in, for example, cookies may be expired (time length depends on your server configuration). So in that case you might want to return status error 4xx. HTTP Status Documentation, and maybe presentViewController(logInViewController, animated: true).
How do I send a facebook app requests from one mobile user to another using the Graph API?
I have looked at facebooks documentation but the only options I have found are to A) send an app to user message from the app (which I can't get working) or B) to use the request dialog, which doesn't seem to let me send a request to a single user.
FB has instructions for how to build a custom "Multi-Friend Selector" but apparently not for mobile.
I have tried using HTTP POSTing to
https://graph.facebook.com/%s?access_token= ...
with POST data set to
message='Test Message'
but I get
WWW-Authenticate: OAuth "Facebook Platform" "invalid_request" "(#2) Failed to create any app request"
I have also tried in the Graph API Explorer but I get the same thing.
I don't want to send these messages to users that have installed the app and I don't mind the user having to provide confirmation for the FBFrictionlessRecipientCache. Also, my app is in Sandbox mode, but I only need to send the requests to the other developers.
I am looking for anything that will let me do multi-friend selectors or ask for lives, or get help from a friend, like I see in several mobile games these days.
You can use presentRequestsDialogModallyWithSession from FBWebDialogs.
You must specify a "to" parameter to identify the recipient, and you must use the FBFrictionlessRecipientCache.
The "to" parameter identifies the recipient. It stops the select user dialog from appearing.
The first time you send the request to each recipient the user will have to grant permission. After that, the FBFrictionlessRecipientCache will allow the request to be sent relatively silently (a dialog pops up briefly and goes away by itself).
Has anyone had success using Stripe connect with an iOS app. I have a few questions:
I'm following the guidelines here: https://stripe.com/docs/connect/getting-started
Registering an Application: easy, no problem here
Then a little further down:
Send your users to Stripe: again, easy no problem here, I just have a button that opens up the link in a UIWebView. I assume having the client_id in the URL is fine? A lot of my uncertainty is what IDs/keys I should hard-code into the app
Then a little further down:
After the user connects or creates a Stripe account, we'll redirect them back to the redirect_uri you set in yourapplication settings with a code parameter or an error.
What I'm doing here is using the UIWebview's webView:shouldStartLoadWithReqest:navigationType delegate method to check for the string "code=" in the URL. If it finds that, then I'm able to grab the "code" parameter. So in reality, the redirect_uri is completely unnecessary for me. Is this the right way to handle this? Should I be doing this within my app or on my server?
After receiving the code, we are supposed to make a POST call to receive an access_token. Again, should this be done within the app or on the Server? It requires the use of a secret_key, so I'm guessing server? And how do I send credit card information along with this token if the token needs to be sent to the server? I know how to obtain the card number, exp date, and CVV. But in terms of passing it to the server (with or without the token) is something I'm not sure of.
Then when it comes to actually writing PHP, Ruby, or Python code on the server, I'm at a total loss.
Any help would be greatly appreciated.
You should setup a small web app to create stripe charges and storing you customers Authorization Code. Configure two routes in your web app for redirect_uri and webhook_uri and add the url in your Stripe Apps settings. The charges should be created from a server side app because it requires the secret_key / authorization_code which should not be stored in an iPad app. Otherwise they may lead to a security leak. I'm trying to describe the concept below:
Provide the stripe connect button in your app and set the link to open in Safari (not in an web view). You should add a state parameter to the url with an id which is unique to your users.
On tapping the button your user will be redirected to Stripe where s/he will be asked to authorize your application. Upon authorization stripe will hit your redirect_uri with a authorization_code and the state you previously provided. Do a post call according to Stripe Documentation with the authorization_code to get an access_token. Store the access_token mapped with the state in a database.
Define a custom url scheme in your app. Invoke the custom url from your web app. The user supposed to open the url in mobile safari. So invoking the custom url will reopen your application. You can pass an additional parameter to indicate failure / success. In your app update the view based on this parameter.
Now you are all set to create a charge on your server on behalf of the iPad user. Use stripe iOS sdk to generate a card_token from the card information. It'll require your stripe publishable_key. Then define an api in your web app which takes 3 parameters: card_token, user_id and amount. Call this api from your iPad app whenever you want to create a charge. You can also encrypt this information with a key if you're worried about security using any standard encryption method. You can easily decrypt the info in your web app as you know the key.
When this api is called from the iPad app you'll receive the user_id (which you saved as state previously), card_token and amount. Retrieve the access_token mapped to the user_id (or state). You can then made a charge on behalf of the user using the access_token, card_token and amount.
You can use ruby / php / python / node in the server as Stripe provides sdk for them. I assume other languages can be used as well as there is a REST interface.
Please note that this is just a concept. It should work like it but I haven't implemented it yet. I'll update this answer with sample code when I'm done.
You can use UIWebView. You will still need to use redirect urls and monitor the redirect using the delegate "webView:shouldStartLoadWithRequest:navigationType:"
In my iOS app I have a WebView, that uses my GAE app to authenticate. Login is working fine, and I am able to see the cookie data.
Example cookie data I see after I authenticate: (ACSID shortened for brevity)
=======
2012-06-16 10:00:13.784 FooApp[6342:12203] <NSHTTPCookie version:0 name:"ACSID" value:"AJKiYcGJTQ964S0JF7Rp5H" expiresDate:2012-06-30 13:57:59 +0000 created:2012-06-16 13:58:01 +0000 (3.61548e+08) sessionOnly:FALSE domain:"foo.appspot.com" path:"/" isSecure:FALSE>
=====
2 questions..
Is checking that the ACSID has a value enough to prove authentication? If not, what should I check for?
Is it possible to get the email address a user logged in with?
Thanks!
B
I wouldn't rely on undocumented behavior -- if you want to know whether a user's logged in, and the user's email address, send that info back in an HTTP response to your client directly.
Nothing says the behavior ACSID cookie won't arbitrarily change.
I have never tried do this on iOS yet. But on Android I'm using App Engine Rest Client to authenticate. I see they store and restore cookie for every request. So I believe it will definitely work on iOS.
I had a very hard time trying to include ACSID cookie for every request and it actually works. You have to ensure they are really in the request header on server. If you success to authenticate with app engine. You can view the CGI environment in appstats and see authentication information.
Here is the link for android client authenticator on app engine https://code.google.com/p/aerc/. You can have a look and reimplement on iOS.
If you want user email address and can get it from user object on app engine users.get_current_user().email() and request it from your client app via http request.
Hope it helps