I've been struggling through Facebook authentication for a canvas app for a while. My approach is as follows:
Check the user's session for an access token.
Check the user's Facebook cookies for an access token.
Check the parameters for a signed_request.
If an access token is found during any of those 3 steps:
I make a call to the graph API requesting the /me resource.
If the call is successful, the user is logged in.
If the call fails (causes an OAuthException), I request a new access token by redirecting the user to the Facebook OAuth endpoint to obtain a code, then obtaining a fresh access token by exchanging that code.
If no access token is found in the session, cookies, or signed_request, I display a landing page.
Is this the correct procedure? I've noticed that oftentimes there is no signed_request present in the parameters if the user's access token has expired. The method Facebook endorses for requesting a fresh access token results in 2 user-facing redirects as well as an API exchange, which seems a bit heavy.
The setup I'm working in is:
Rails v3.0.8
Koala gem v1.2.1
I've followed these guides:
https://github.com/arsduo/koala/wiki/OAuth
https://github.com/arsduo/koala/wiki/Koala-on-Rails
https://developers.facebook.com/blog/post/500/
Have you considered using Omniauth? (https://github.com/intridea/omniauth) It wraps up all this stuff and lets you easily extend to other sites as well.
Related
Im a bit stuck. I dont know how to setup ember-simple-auth with my current rails + ember-cli app.
Currently, the user has to login with steam, so they get redirected to steam's login page. When they press authorize, they get redirected back to my site. I then let rails process the request and if they successfully signed in with steam, I set a cookie with a randomly generated token.
Now I need to do two things for ember-simple-auth.
Tell ember-simple-auth to check if the token exists, and if it does, make an api call to get the user's infor like the name, email, username, etc...
Add a prefilter that passes the token in most requests.
For #2, I can just use the OAuth authorizer, but for #1, I have no idea.
Thanks.
You need to implement a custom authenticator and use that to authenticate the session in an initializer when the app starts. The authenticator would in its authenticate method read the token that the Rails app writes to the cookie, make the API call and resolve with a bearer token that the OAuth 2.0 authorizer would then inject into requests.
I can't figure out the difference between Token and Grant in Doorkeeper. In which moment, Doorkeeper creates an Access Grant and when an Access Token? The documentation doesn't seems to say nothing about it and now I'm reading the code but is not a dozen lines.
I recommend to also read the documentation of oauth2
As I understand, Doorkeeper is based on the protocol described in that documentation too.
In doorkeeper, you will get access grant first and then access token.
Access grant usually only lives very short (the default in doorkeeper is 10 minutes).
You will get this by requesting GET to api-url/oauth/authorize (don't forget to put client_id, redirect_uri, and response_type as parameter. response_type will have value "code").
Once user allow the apps (user clicks "allow" button), doorkeeper will return the access grant as parameter in the returning url.
Get that code and you can now use it to make POST request to api-url/oauth/token to get your access_token and refresh_token.
Using access_token, you can get the resources of the API in a limited time (Doorkeeper's default is one hour if I'm not mistaken).
When acces_tooken expired, use refresh_token to get new access_token and so on.
In summary, access grant is the key that given as the sign that user has allowed the apps to use its resources.
Access token is the key that is given to permit an apps to use resources in a limited time which has defined.
Hope it can help.
I'm assuming you're talking about the Web Server flow, as you're using a Ruby gem in a Rails app (as you know, there are 4 flows).
Usually in the Web Server flow, Grant is the moment when the user clicks in a link to consent authorization: he/she will be asked to authorize the app to read/write data.
If consent is granted, then the app will get a temp code. With this code, in the background, the app will ask the Token for the service provider.
Then, only with the Token, the app will be able to use the service provider APIs.
I'm working on an iOS app which uses login via linkedin. I'm using a web view for the user to login and getting the token from linkedin. If i understand it correct, The token which i received is valid for short period and hence i need to make a call to linkedin with the existing token to get a new token with the extended period. Can you please let me know what api I should call to refresh the token to get the new token with the extended validity?
I'm currently using https://github.com/jeyben/IOSLinkedInAPI
According to LinkedIn there is no direct API to call to refresh a OAuth 2 token. What's supposed to happen is if:
The user is logged into LinkedIn
They have a current (less than 60 days old) token
pointing them to the authentication url will trigger a refresh of their token, without needing the user to log in.
In using the iOSLinkedInAPI library, this didn't seem to be the case.
What I figured out was, the authentication flow wasn't generating a login session cookie from LinkedIn in the iOS simulator or on a device, so requirement 1 was never being met.
You need to have the user login through the regular LinkedIn login page, and this gets you that session cookie, which you can cache. After you send the user to authenticate your app, you can load that cached cookie into the NSHTTPCookieStorage sharedHTTPCookieStorage each time you want to call the authentication URL to refresh the user's token.
I created a helper class with an example if you want to check that out:
iOSLinkedInTokenAuthorizer
Is it possible to retrieve Facebook page posts in an iOS application without having to use Facebook Login?
I am currently using the Tumblr API which works perfectly fine and delivers pictures and texts from everything that has been posted.
Any help would be much appreciated.
Thanks.
Facebook SDK says, that you need any valid access token if the post is public. So just use your app access token.
Read how to request app access token here.
Yes, this is possible. There are two options from my point of view:
If your Page is only posting in public, you could use an App Access Token
If your Page also contains non-public Posts, you should use a Page Access Token
See https://developers.facebook.com/docs/graph-api/reference/v2.0/page/feed/#readperms
An access token is required to view publicly shared posts.
A user access token is required to retrieve posts visible to that person.
A page access token is required to retrieve any other posts.
An App Access Token will not expire unless you change your App secret, a Page Access Token will expire the latest 60 days after issuing.
You should consider to wrap this in an own webservice, so that you don't have to hard-code an Access Token into your App. With an own webservice, you could encapsulate the Access Token validity issues.
I recommend their graph api for such tasks
Using it I have successfully retrieved page level data using Facebook graph api(REST)
using an app token(public posts)
user token(posts visible to that user) or
page token(all posts in page)
App token is obtained by default on creation of your Facebook app(easiest way)
User token is obtained on a user oauth login(needs oauth,can be done with oauth libraries)
Page token is obtained with a second call to Facebook, after obtaining the user token if you have manage_pages permission from the page admin (needs oauth and a second call to Facebook)
Try Facebook graph explorer and hit the page URL to get a json response of your page information.
Play with the graph explorer
https://developers.facebook.com/tools/explorer/
Page data reference
https://developers.facebook.com/docs/graph-api/reference/v2.0/page/
Access token reference
https://developers.facebook.com/docs/facebook-login/access-tokens
I am trying to impliment Oauth for my webapplication for google.I am worked upon a POC and it working fine but i have a confusion and not sure how best it can be achieved.
I am using scribe java API for Oauth.
here are the steps i am performing.
Getting request token from Google.
Redirecting user to Google to authenticate them self and authorize my serivice to access his/her few details.
get Access Toekn from google by providing request token and verification code given by google.
Accessing user info once google provide Access token.
now my main confusion is at step no 3, since i am working on a web-application so it will be a 2 step process.
Redirecting user to google
Handling back google redirect.
In order to get an Access token i need to provide same request token which i got at step1 else my request being rejected by the user.
The request token contains 2 things
Toekn -->which is based on the registered application so not an issue
Secret-->This is always being a random string so it should be same when asking for access token
that means i need to store this secret either in my session or some where so that i can access this secret when user is being redirected back to my application.
My confusion is,since in order to save it in session i have to create a unique key and some way to access it in the other action class which will handle Google Redirect back how can i achieve this since at a given time so many user can ask to login using google.
any help in this regard will be much appriciated.
Thanks in advance
When you receive the request token + token secret, use the request token as the unique key of your session to store the token information. After the authorization process, in the callback url, you have access to the request token (it's one of the parameters passed to the callback url). Using this parameter as the session key, you can restore the token information from session, including the token secret, and use it to sign your request for changing the request token for access token. After receiving the access token, a new token secret is returned to you and you can delete the old one from session.
how can i achieve this since at a given time so many user can ask to
login using google
This is not of any problem because for every single user on your site, you are given a different request token.