I'm using the Oauth redirect authorization method to provide authorization for a page tab iframe application.
The flow works like this:
User loads page tab (unauthorized)
User clicks authorize link
Authorization dialog takes over parent window
Accepted authorization redirects to my application to register user account using authorized email.
My application redirects back to the page tab
Loading the page tab causes authorization to be lost, and the user sees the authorize link again. Rinse, repeat, no success.
Confusingly, the application works completely if instead of redirecting to the Facebook Page Tab, I redirect to any path in my application (ie. the root, the user's page, etc.). Only by setting the redirect to the Facebook Page Tab URL does the user get "booted".
Even stranger, if I keep redirection limited to my application, but simply load the Facebook Page Tab, the authorization is killed everywhere. Meaning, post-facebook-page-load, refreshing the application off-Facebook will prompt the user to authorize again, and they are effectively "logged out" of my system.
I am using Rails 3.0.1 with Devise 1.4.2 for user accounts. The user authorization is passed to a Devise registration (I need to keep track of users in my app - a voting-based "contest" application). Devise uses the "Server side Flow" detailed here: http://developers.facebook.com/docs/authentication/
I'm lost as to what would be causing this. Facebook killing the auth cookie? Does this happen?
When you access the facebook tab page first time,signed_request is necessary:
#signed_request = oauth.parse_signed_request(params[:signed_request])
So you can send a parameter when redirect to it from other pages to check if it's the first time.
Related
I know how to implement a spring security login form the "classical" way, but I'm having a hard time figuring out how to implement a login form that opens in a modal and always behaves "properly".
It is not as trivial as it sounds.
Here are my specifications:
when an unauthenticated user requests a protected page, a modal login form should appear; when the login is successful, the requested page should appear and the address bar should display the requested url as in a non-modal approach
when this is triggered from outside the site, the modal should open on the site home page
when this is triggered from inside the site, the modal should open on the current page
when a user clicks on a "login" button on the site header (from any unprotected page) a modal login form should appear without changing page; when the login is successful, the location should not change but the page should be reloaded in order to be updated (e.g. showing the user name in the header)
if the modal is closed before submission, the original page should not have changed
if there are login errors, they should appear in the modal without redrawing the whole page
if the login form is submitted after session expiration, the login process should handle expired CSRF tokens gracefully (but I might consider removing them altogether for the login form, where I don't think are needed anyway)
every ajax request on the site (that originates from a protected page), should handle login requests gracefully
brute-force attacks should be hampered by temporarily suspending a username after some failed attempts
Java-only Spring configuration (no XML) and JQuery
the logout link should not trigger an authorization error when the session is expired
I'm developing a mobile application using MVC 4. And I'm securing it. The application has 2 pages ("home" and "Clientes")
When the application starts it asks me for a username and password, with this being its URL http://localhost:59170/Account/Login?ReturnUrl=%2f.
I login and go to the home page. This is the url I can see on IE http://localhost:59170/Account/Login?ReturnUrl=%2f.
From this page I go to the Clientes page. This is the url that I can see on IE http://localhost:59170/Account/Login?ReturnUrl=%2f#/Clientes. At the moment all works ok (Though url like something stranger).
The problem occurs when I press the back button on IE. It must go to the home page but I go to http://localhost:59170/Account/Login?ReturnUrl=%2f#/Account/Login?ReturnUrl=%2f where it asks me to login.
What might cause this behaviour and how do I solve it?
Each time you request a page that requires authentication, .NET will redirect you to your designated login page and append the requested URL to the URL. That way, once the user has logged in successfully it will redirect them to the page they requested automatically. In your first URL for example the return URL encoded representation of / i.e. the root/ homepage of your site
It will keep redirecting you until you have authenticated. If you don't want to have authentication on your homepage then just annotate your account controller with [Authorize] and not your home controller
I have implemented Sign in with Twitter on my web site using DotNetOpenAuth lib using asp.net mvc 3.
My problem is that every time the user click Sign-in with twitter it redirects him to a twitter page (even if he is already logged in to twitter).
I saw that sites like www.pinterest.com avoids this somehow.
How can I avoid the redirect to Twitter sign-in page if the user is already logged in to twitter?
This is called Sign in with Twitter. Redirect users to https://api.twitter.com/oauth/authenticate?oauth_token=xyz instead of https://api.twitter.com/oauth/authorize?oauth_token=xyz. If the user is has an active session with twitter.com and has previously authorized the application they will silently be redirected to the callback url.
All,
Here is the scenario;
Our website uses APPID-1 for auth and extended permissions (MainSite)
Our Page Tab App uses APPID-1 for auth & extended permission
(TabApp-1), and this adds the auth_token to our DB on MainSite
However we want to add another tab that uses APPID-1 for auth_token acquisition, is this possible?
Proposed scenario;
MainSite - APPID-1 acquire auth_token
TabApp-1 - APPID-1 acquire auth_token
TabApp-2 - APPID-1 acquire auth_token
I should note that non of our TabApps actually need the auth_token, its our MainSite backend app that uses the auth_token to perform actions for the user. However we want to make it easier for our users to use the site, and many come via our Fan Page.
So can we have TabApp-2 pop the Auth Dialog for APPID-1 with is not TabApp-2's APPID?
Specs:
Ruby on Rails 3.1 and using Graph API & Javascript Fb API
I guess you would have to initiate the JS SDK in TabApp-2 with APPID-1. Server-side you would receive a signed_request with TabApp-2 credentials but you can just it that if you work only with the JS API.
I guess you could validate the assumption with a prototype in less than 30 minutes. Have you done that yet? If so, what were the results?
You don't need different apps for this (but i think you're aware of that) the same app can be installed onto multiple pages, and you can show different content on each page by checking the page parameter in the signed_request which is POSTed to your server when the page tab is loaded by a user.
As far as authorisation goes, you may have issues when getting the user to log in directly from a page tab (issues = it may not be allowed to redirect the user back to the tab after login because the full URL to the tab (http://www.facebook.com/pages/somepage/12345?sk=app_{app id here}) isn't 'owned' by your app)
If that happens you can send them to your main site after login with an additional parameter that you use to detect that the user started login on a page tab, and redirect them back to it
Seems you will have to make a few apps, then just use php-sdk to authenticate, since the auth will be server side it will not matter what iframe or page tab it appears in, it will be able to auth to a single app.
My facebook application is installed on multiple pages as a tab.
When a user clicks on the tab link from a page, if the user has not authorized my app, I redirect the user for authorization.
After authorization, the user is redirected to my site with the "code" value. Now, at this point, I can get the "access token" for this user but I do not have the current page id.
I need the current page id in order to show the page specific data to this user.
However, after the user has authorized my user, when the user comes back later, i get the page information from the signed request. But I also need the page information immediately after authorization.
When your app first loaded as a tab, you can read the "signed_request" and compose the redirect_uri with it.
var encodeURI = encodeURIComponent("http://myapp.com?pageid=123");
and redirect your user to somewhere like
https://www.facebook.com/dialog/oauth?
client_id=YOUR_APP_ID&redirect_uri=encodeURI&response_type=token