I'm working on an app using facebook & oauth. The app lives inside a facebook canvas, and the authentication is done server side. The app is done w/ Ruby on Rails 3.2, using Koala for dealing with the api (and mongodb as backend, for what it's worth), and hosted on heroku.
So, I supply the heroku url as redirect_url for the callback. Which makes the user go out of the canvas after the authentication, and well, I want it to stay inside. I read a few threads about this that suggested I redirect to the canvas url with js once the authentication is done. I did that, but now it seems that my session token is never set, and the user goes through the auth flow every time he tries to see a non-public page (which means he loops on the welcome page, having an "invisible" exchange with facebook each time).
I don't really get what I'm doing wrong here, so any help is welcome. If you need more informations, just ask.
Thanks for your time!
So I found what was my problem : the page my canvas pointed to was a "public" page, and did not handle anything authentication related, meaning it didn't parse the signed_request, or anything else. I ended up setting a special endpoint for the canvas in charge of handling the signed_request logic, and now it works as one would expect.
Related
I'm currently working on an Electron (1.0.1) project where I'm heavily dependent of webviews. Everything works so far except when I try to access https://twitter.com or https://tweetdeck.twitter.com.
Whenever I try to login (on both sites) the request to https://twitter.com/sessions gets canceled and I'm not logged in.
However, if I take a look at the stored cookies I can see a newly generated access token – so when I refresh the site I'm logged in.
Twitter is the only site where I can experience this behaviour and I just can't figure out whats going on here.
The webview initialization is very simple:
<webview src="https://tweetdeck.twitter.com" partition="persist:tweetdeck"></webview>
It isn't fixed yet but this is a known issue and the Electron folks are already working on it. If you like to follow the issue: Issue: #3471 Twitter authentifcation form POST REDIRECT
I'm attempting to hook my application into Flickr but having issues during the Authentication process.
I've followed instructions in:
https://github.com/devedup/FlickrKit
I've created a CFBundleURLTypes for my application (let's call it myapp://) and tested that it works (i.e. I type myapp:// in a safari). I've successfully called the authentication URL in Flickr, it shows the login, asks the user to grant my app the necessary permissions then instead of redirecting back to my app via my URL...it does nothing, and the app is not authenticated.
I used FlickrKit demo app replacing its api key/secret/CFbundleUrltypes with mines and the issue is the same, so the problem is not in the code but rather in the way i registered my app in flickr. Said that...I just followed the instructions in Flickr "Edit Authentication Flow" so I guess the issue is with the callback url I put in flickr. I used myapp://auth? as described in many posts in the internet but does not authenticate or call back my app.
This is not the same issue reported here:
Flickr Authentication Flow and iPhone
but rather similar to the unanswered post:
flickr callback URL not working
The Info.plist for the custom URL handler and the AppDelegate code are a copy&paste from the flickrKit demo app [no need to reinvent the wheel] and anyway even after changing api key secret and url in flickrKit demo app with mines...the app is not called back, so it must be something wrong in my app registration.
Anybody experienced a similar behavior ? i ruled out objective-c code and callback url as the issue, so what is left is the flickr part but not sure where to look for help... so i wrote this post.
Thanks for any tip,
dom
Probably this is a problem of api signature calculation. All the parameters passed via method should be used to calculate an api signature.
I'm about to build a console application that needs access to the authenticated YouTube Data API. Calling the API's themselves is not a problem, I know quite well how to make and process HTTPS requests.
I've already gotten the API key and the Client ID. No problems there, either.
The problem is the authentication.
I've checked here: https://developers.google.com/youtube/v3/guides/authentication#installed-apps
On the "Installed applications" tab, in step two, it instructs on how to set up a url to call to do the authentication step. All good so far. But before programming anything, I thought I'd try and see what that url does in the browser.
Turns out it just displays a login prompt. Well how about that. That won't work in this kind of console application. The idea is, presumably, that the user is somehow shown this webpage and be instructed to login and allow access. Then, somehow, by some kind of magic perhaps, the access token is sent back to my console application.
Two things I'm not quite sure about:
1) How do I prompt for the username and/or password in the console app and send that to the authentication URL?
2) How would I get the access token back from it?
The biggest problem is that the API seems to require a browser... Which isn't there. My console application will (eventually) run unattended, so starting up a browser and displaying a webpage and doing nothing until it returns a code, is out of the question. I need to somehow supply the authentication page a username/password and get back the code right away.
My goal is to build a standalone RESTful Rails 3 service that communicates with a Rails 3 web application via ActiveResource JSON and an iPhone application via iOS 5 native JSON. I have each running so that a single table of data is being exposed in the service app and that can be called and rendered via both a Rails app and the iPhone app.
My question is around authentication and something that can be reusable for both the web application and the iPhone app or in the future an Android app.
From the research I have done on this site, it seems HTTP Basic would work for both, however I would be unable to properly logout a user on the web side like sessions or cookies could and I have the browser login form to deal with. If I use sessions, how would that translate to setting up authentication on the iOS side of things?
This project is a code learning exercise, so I am hoping for implementation or architectural guidance rather than simply implementing Devise or Authlogic, etc.
It sounds like you're conflating at least two problems.
The first issue is authentication: you need to determine if the user is who they say they are. For authentication, you can do basic auth. You could also use client certs, though that's probably not what you're looking for.
The second thing is session management: First, you can do basic auth on each page request and store the session state in the database, but you're right about not being able to log the user out, as the browser will cache the credentials.
You may want to consider a login page that requires basic auth and shoots back a cookie to do session management. All other pages don't require basic auth, but give a 401 unauthorized if the cookie isn're present. Or you could redirect. The iOS client code will have to know to call the login page first to get the cookie and then use it after that. Logging out is deleting the cookie.. hrmm, but the browser will still cache the basic auth credentials.
I'm thinking the only way you're going to get what you want is to have a form-based auth for your web users (to allow them to log out and log in as someone else), and a basic-auth based system for iOS users. As a result of both authentication mechanisms, return a cookie that has to be used for all other pages.
I am trying to connect facebooker and authlogic using this http://github.com/kalasjocke/authlogic_facebook_connect
I was having problems so began to debug the facebooker gem code. I realized that no params are getting set using the facebook login that have anything to do with facebook. I can push the facebook login button, it brings up the facebook window as it should and I accept/sign into facebook. Then in facebooker/rails/controller.secure_with_facebook_params! I print out params, this is what shows:
authenticity_token<pulled out token number>actioncreatecontrollerperson_sessions
person_sessions is the name of my user_sessions. Not sure if this makes a difference though...
This is it. Clearly there should be other parameters here. I checked to make sure that my application numbers are all OK with facebooker.yml (although honestly I don't understand why that would matter as I'm not yet making a facebook app, just want to use connect).
Any ideas?? I would be SOOOO thankful if someone could help me out... any clues would be useful!
K
Argh I think I finally figured it out! Since I don't have an app yet then set_asset_host_to_callback_url in facebooker.yml should be set to false. However, after this is done, you have to close browser as it seems to store previous session. Now to fix my next problem!
I had this same issue, my problem was that I had set a Site Domain on my application settings page on Facebook itself... I wasted lots of time fiddling with my code and my settings in my rails app when it was a facebook setting all along. Big up to Alex Neth on the authlogic google group in the end. So what I had was
Application ID 150132505999999
Application Secret e7fb8001d80e99999999999999999999
Site URL http:// localhost:3000
Site Domain localhost
and what I should have had was
Application ID 150132505999999
Application Secret e7fb8001d80e99999999999999999999
Site URL http:// localhost:3000
Site Domain
duh, probably an obvious one but I hope this helps someone out somewhere.
(I've had to break up the site url there for spam issues on this site)