FB.login firstly check logged user in browser session by identifying logged user by cookie. Then it provides authResponse that includes userId,accessToken...etc. But i want to tell Facebook library to use existence user token and prompt some permissions to that user who is belong to that access token.
It is possible use FB.api to make user specific request by specifying access token explicitly. But FB.login does not take existence access token as parameter in documentation.
Is there a way to do this ?
Related
We are trying FusionAuth & looking to have a single step flow for Sign up + Sign In.
After user signs up, we want to show/land him directly to our application's dashboard page (without showing him login page in between the flow). The authentication should happen but internally i.e we are expecting OAuth2 standard IdToken in response to "WebApplication" so that web application can use IdToken to allow user to application.
Please note that we don't want to use approaches where we need to pass Username/password to our web application, don't want to handle user credentials. Also that we dont want to use Authentication Tokens returned in Registration flow because AuthenticationTokens are not that secure, looking to use OAuth2 based IdToken instead.
I have came across this post "https://fusionauth.io/community/forum/topic/165/taking-a-user-directly-to-the-registration-page/3" and tried following request, but it is showing Login page instead of registration.
/oauth2/register?client_id=<Configured_client_id>&redirect_uri=<Configured_redirect_uri>&response_type=code
(I have not used CSRF parameter though)
Please can you suggest why its showing Login Page?
You should be able to have a user register and be sent directly to your application, as long as you set the correct redirect_uri and put that on the registration URL:
https://local.fusionauth.io/oauth2/register?client_id=c50329fa-93e5-4618-8d9f-73d0ab069a23&response_type=code&redirect_uri=https%3A%2F%2Fapp.example.com%2F
The application will then receive a code that can be exchanged for an access token. You can call the userinfo endpoint with that token and get user information like email address, etc.
What you won't get that it seems like you might want is an id token. For that you'll have to send the user through the login process with a scope of profile. However, you could mind your own 'id token'-lite using the values from the userinfo endpoint and the JWT vending: https://fusionauth.io/docs/v1/tech/apis/jwt/#vend-a-jwt
We have a web app (SPA Angular app talking to a .Net Core Web API) which uses Auth0 as the authentication server.
Now, I'm not sure if this would be an "invite flow" or "invite-only flow", or something else, but basically, a user will go to our web app, and create an account on our system. Our API then creates an Auth0 account for this user using the Auth0 Management API. This user is then considered the Administrator. She can then create as many users as she wants for her staff. For each user she creates, our API creates an Auth0 user using the Management API.
Since, as far as I'm aware, a user must be assigned a password at the moment of creation (i.e. you cannot create a user without a password), the administrator must pick a password for each user she creates.
Additionally, each time a user is created, Auth0 automatically sends out an email to that user asking them to verify their email address. When the user follows this link, it takes them to the Auth0 login screen where they have to fill in their email address and password.
My problem is that, unless the administrator tells them what password she picked for them, there's no way of them knowing.
My question is: is there a way to defer picking a password until the user logs in for the first time? So, when the administrator creates the user, she doesn't pick a password. Then, upon the user's first login, they pick their own password.
Alternatively, if a password MUST be set at the moment of creating the user, could this password be displayed to the user in the email verification email? I would essentially treat this as a temporary password, as I would also require the user to change their password upon first logon in this case.,
Thanks
As per Google doc:
Handling authorization requests
When a user loads your application for the first time, they are presented with a dialog to grant permission for your application to access their Gmail account with the requested permission scopes. After this initial authorization, the user is only presented with the permission dialog if your app's client ID changes or the requested scopes have changed.
Authenticate the user
This initial sign-in returns an authorization result object that contains an authorization code if successful.
But could not get how handling authorization flow can occur? Is there an endpoint for it?
I got an answer,
request on:
https://accounts.google.com/o/oauth2/auth?client_id=*****.apps.googleusercontent.com&redirect_uri=https://www.msn.com&scope=https://mail.google.com/&response_type=code&access_type=offline&prompt=consent
Here, make sure you have specified scope in consent screen.
It will redirect user to give access of gmail scopes after that you will be redirected to msn url. url itself contains code which will be further used to get access token. code you get will be used one time only.
In one of my iOS apps, I am using FBSDKfor Facebook login and it works correctly. But we would like to handle the case that the access token becomes invalid. If I have changed my password through some other Facebook login then as per the Facebook blog post, it should invalidate the access token, but while I am fetching the stored token using [FBSDKAccessToken currentAccessToken].tokenString, it appears that the token is still valid, based on the following:
[FBSDKAccessToken currentAccessToken].tokenString does not return nil.
Using the following url to validate the access token [NSString stringWithFormat:#"https://graph.facebook.com/APP_ID/permissions?access_token=ACCESS_TOKEN], as per stackoverflow post
How to verify the account password changed (and corresponding token invalidation) scenario for Facebook?
We want to detect the invalid token and ask the user to login again, if the account password has been changed through logging in to Facebook somewhere else and changing the password.
Any suggestion is appreciated.
Thanks.
Changing password won't invalidate the login. To invalidate the login, you need to go to Facebook->Settings->Security and Login. Find where you are logged in with the token and force log out.
In the facebook authentication guide, i am suppose to:
Get the user to authorize my
application, by redirecting them to
authorize uri.
Get my access token
from facebook by hitting the
/outh/accesstoken uri.
Lets just say, that for whatever reason, this token is no longer valid. Do i need to perform step #1, or can i hit the /outh/accesstoken uri again?
OAuth 2.0 allows for "refresh tokens" which will do exactly what you want (hit the access token endpoint for a new token). However, Facebook does not support them.
If you want access after the user initially signed in, then you have three choices:
1/ Use the FB JavaScript library to request access in an iframe. It's not using OAuth (yet) but it will do it with minimal user disruption.
2/ Reirect the user to the OAuth endpoint again. If they have already authorized the requested scopes, then it will direct back immediately.
3/ Ask for the "offline_access" extended permission. This should only be used rarely.
If the token is no longer valid, you have to get a new one.