I am new to FB interaction and used FB recommended JDK approach to get login/continue as to work on webpage. But i can't see how the login response is secure at all since it is all done in the client side. Again only concerned about login not post login calls as i see many methods for securing those. Am i missing something here that i can't see after combing thru the FB login documentation? I am wondering if i crazy to consider using the Manual Login Flow which FB is clearly not promoting as much?
thanks for the help!
Related
I have a simple question that I can't solve with the resources about moodle and LTI.
I want my users to login into their App with moodle credentials (as often done with e.g. "login via facebook") - is my app the consumer or the provider?
I first thought the app is the provider but some points make me question that:
No, I do not want to start the app from within moodle.
No, I also do not want to embedd my app content in moodle.
I just want the users registered in moodle login to an app with their moodle username and password
All content I found on LTI provider assumed the opposite of point 1 and 2.
However, I also found that moodle can be a provider itself. It has been shown to be embedded in an external application. But in my understanding, the consumer is responsible for authenticating the login (which is opposite to point 3).
Am I missing something, that makes it so hard to see the soution here?
I found Atomic Jolt's try_oauth repo will do exact what you want. It also has an excellent code along video which explains the workflow really well.
You navigate to the app and it opens up a Canvas authentication page and grabs the users credentials.
https://github.com/atomicjolt/try_oauth
Hope that help.s
There is a plugin for moodle which makes it a oauth2 provider. You could use that to allow authentication in your app with moodle credentials.
https://github.com/projectestac/moodle-local_oauth
All. Forgive me if my question is off topic or a dumb question.
I really want to know how to implement a authentication mechanist like GitHub for Plunker.
In my project.I think I have the same situation like this.
I have some websites like Plunker.
and I want to implement a SSO center authication website or services for all the other websites like GitHub.
when I click the button Sign in with GitHub in the Plunker. The website will open the new windows with the url
https://github.com/login?return_to=%2Flogin%2Foauth%2Fauthorize%3Fclient_id%3D7e377e5657c4d5c332db%26redirect_uri%3Dhttp%253A%252F%252Fplnkr.co%252Fauth%252Fgithub%26scope%3Dgist
When I succeed to login in GitHub. Then the Plunker will login with the authenticated user I just used in the GitHub.
My problem is I don't know how does the authentication works between the GitHub and Plunker.
Could someone please tell me something about it ? It will be appriciated. Thanks.
Plunker's "log in with GitHub" button uses OAuth2, an open standard for this kind of thing. It's the same technology used by Google for their sign-in with Google functionality, as well as many other providers.
Here is GitHub's documentation for adding "log in with OAuth" to your site.
Creating your own OAuth provider is a significant task, and one that you probably don't want to tackle without weighing carefully. If you do choose to go down this path you'll likely want to use an existing library for your language or stack of choice, e.g. perhaps something from this list. This is also good advice if you only plan to build an OAuth client.
As pointed out, Plunkr's login process appears to be using Github's OAuth2, but manages to pull it off on the client without redirects/reloads using window.open and postMessage. A detailed description of the technique can be found here. The demo code looks relatively painless.
The Gatekeeper project seems to be a more polished implementation (with node.js) of that idea and there is a detailed tutorial on doing client-side auth with it here.
I have a FB App that a user will subscribe to via some client (Android or Web), but that later needs to post stuff to their wall (not from the client but from the server). Assuming I have the FB-AppID, and Key and the user's UserId, and they have opted into the app, what is the API I would use to then post stuff to their wall via WGET from my server? I'm confused by all their various methodologies, and am hoping to get pointed towards the one that's the most HTTP friendly.
Please check out the "posts/Create" section under https://developers.facebook.com/docs/reference/api/user/.
You will need publish_stream permission to push the same to facebook.
Also, you will need a valid access_token from FB which is linked to the user who has logged into your app. A standard access_token will work only for a fixed amount of time since it was last provided to you (typically 30 minutes).
If you wish to post after the said time (basically anytime), then you will need the offline_access permission also.
In essence, if you need to do a post offline, then you need to necessarily have an access token with both "offline_access" and "publish_stream" permissions.
You can use Facebook Graph API. This api is HTTP based and support REST services.
Here is the link -> https://developers.facebook.com/docs/reference/api/
You must be login in Facebook to access this page.
I am making a mobile application where users can connect their twitter accounts to the app. I am just kinda curious what's the best way to do it.
Right now, I would love to be able to make my own custom page (without having to use a UIWebView).
Is this possible? If how, so?
Thanks.
As I understand, you don't want the user to be redirected to Twitter's OAuth authorization web page. You can use xAuth instead, but you have to send Twitter an email why you want this, and they won't allow xAuth for your app until it is in a very late development state (when your app is almost complete). You can find the manual for xAuth in the Twitter development documentation.
Basically, what xAuth does is it allows desktop and mobile applications to skip the request_token and authorize steps and jump right to the access_token step. This way, you can provide the user with custom fields (e.g. UITextField objects) to fill their username and password in. Just make sure you don't save them anywhere, only the access token. Good luck. :)
A quick web search reveals MGTwitterEngine
GMail can used as a SMTP server. I've written the code that does it. But as we all know GMail may occasionally authenticate using captcha (image verification as they call it). The same thing may be the cause to reject SMTP authentication.
As I've seen google shows image verification when you try to log-in for the first time from some machine. All consecutive log-ins from the same machine (to the same account) use regular login. I'm a bit afraid this captcha may also come up again for some other reasons that I can't control.
So. Is it possible to still authenticate when special measures are needed? And how?
I should also mention that logging in from the machine via web browser also enables programmatic SMTP authentication.
Try:
http://www.google.com/accounts/DisplayUnlockCaptcha
Or for Google Apps for your domain:
https://www.google.com/a/yourdomain.com/UnlockCaptcha
I can bet it's an IP based solution, so if your app if deployed somewhere else, It doesn't help.
Google doesn't seem to be particularly clear about what prompts them to block a user's account until he has successfully entered a captcha phrase. However, it's likely that this is a mechanism which is triggered when Google sees what it considers to be unusual or suspicious activity associated with your account. As a result, I would expect it to be unlikely that they will supply an option to opt out of a mechanism which is protecting both them and you, although others are welcome to find evidence to the contrary.
Various discussions of when and how this happens throw up some suggestions which you might like to try to see if they help, such as choosing a stronger password or simply changing your password. Good luck!
IMHO The right way to do this, without implementing the user consent workflow or "hacking your account's security settings", is obtaining a refresh token with the Google OAuth2.0 Playground for Offline Access. After that, you can authenticate using the OAuth 2.0 API.
I got it working after reading Nodemailer/Gmail - What exactly is a refresh token and how do I get one?