I'm having a hard time understanding how Facebook communicates with my server when a user logs in (after approving my facebook app). I've been looking through guides and other Stackoverflow questions for hours on end but can't seem to get the hang of it. The documentation on http://developers.facebook.com/ isn't to much help much either.
What I want to do is to have a Facebook login button on my page which opens a Facebook login window (using Facebook's Javascript SDK). When the user then logs in to Facebook and approves my app I want to get the user's data (name, email, age) and store it in my database. How do I get this data, SECURELY (server-side confirmation/authorization)?
Basically, in this order;
a user clicks log-in button on my site
a pop-up is shown where the user can log in & approve the app on Facebook
check if user has already logged in before by getting user's user_id
if it's the users first time logging in, the user's Facebook data (specifically: full name, picture, email adress, age) is gathered by me and stored in my database
After the user logs/approves the app in the Facebook pop-up, where is the user's data then sent?
After the user approves the app, the user's data is not sent anywhere. You need to make an API call to retrieve the data.
Facebook is an OAuth provider. You use Facebook Login so the user can give you permission to access her Facebook data (such as email, friend list, messages, news feed etc). You can also get permissions to take action on behalf of the user (such as uploading a photo, posting to news feed etc.) While starting the OAuth flow, you specify which permissions you will request from the user. These are called scopes.
The authorization flow that happens in the pop-up window is there for the user to give you permission to access the data that you request. This permission is represented as an access token which you have to use everytime you want to retreive user data, or attempt to do something on behalf of the user.
Once you have the access token, you can use the Facebook Graph API to get whatever data you want from Facebook. If you try to access some data that you did not get permission for, then the API method will return an access denied error.
I wanted to give some more links about scopes and access tokens from the Facebook Developers site but my reputation score is too low :)
Related
I'm trying to access public information from API's without actually having users grant access to the API in my mobile Application. Is this actually possible, or are the Oauth permissions for any sort of access to an API?
For example, I want my application to be able to pull a list of nearby restaurants for my application without asking the user if Yelp can access the application. Since the user just wants nearby food information, the request for restaurants isn't user specific, and the user shouldn't actually have to login.
Another example is if I want Eventbrite to simply give me a list of upcoming events. Is there a way to get this list without having a user authenticate Eventbrite within my application itsself?
You can call an API endpoint with your own token (between your Eventbrite account and your application key), and if the data is public (even if it's 'owned' by a different Eventbrite account) we'll return the data.
For example, if you want a list of events across our Event Directory (Event Search endpoint: http://developer.eventbrite.com/docs/event-search/) you can call this method with your own OAuth token (you can grab your OAuth token here: http://eventbrite.com/myaccount/apps).
Hope that helps!
I am creating a website using rails. there is no user authentication but all the team members data(name, summary of job experience, social media handles, etc) is saved in a json file which is parsed to show the data on page. I have a twitter handle of every user. I want to collect the latest tweet and the tweet's information(tweeted on, etc) for every handle. Also, if any of the user posts another tweet, that tweet should replace the old tweet. I dont have user authentication in my application. i did try on terminal
curl http://api.twitter.com/1.1/statuses/user_timeline.json?screen_name=user_name&count=1
but it gives me
{"errors":[{"message":"Bad Authentication data","code":215}]}
All requests to Twitter's API now need to be authenticated. See the documentation for the API call you want to make.
You will need to register an app with Twitter and get your authentication tokens before you can start to make requests like that.
So, to be clear, the users do not need to be authenticated - but your app does need to be authenticated.
I would like my server-side code to upload tracks to soundcloud in its own name, then later it will retrieve comments, favourites and listener counts. I do not want to do this on behalf of an app user - for there is no app! Previous questions here on stackoverflow§ (there is no "me too" button) and the API docs seem to suggest I cannot do this. Am I correct?
§ Can track belong to the application and not individual users?
This is called "Authenticating without the SoundCloud Connect Screen" in the API docs:
http://developers.soundcloud.com/docs/api/guide#user-credentials
An "app" in this case is a program that wants to access the Soundcloud API. You register them here:
http://soundcloud.com/you/apps/
Normally you would make a unique username, and register the app to that user. Then, the code logs in as that user to authenticate.
I've integrated social logins (Facebook, Twitter, etc.) with a Rails app using Devise and OAuth. The requests and callbacks all work great and users are able to authenticate the app and login efficiently.
My problem is this:
With Devise, my site has the user's email address as the username. So, whenever a user logs in through a social site for the first time, a 'connection' record is stored for their account to show which social sites they've logged in with. If they don't already have an account on my site, one is created with the email address from the callback array. The connection is then stored along with the returned tokens and secrets for later use (FB posts, tweets, etc.).
Unfortunately, Twitter doesn't provide the email address. To circumvent this, I'm asking first-time users that login with Twitter to simply provide an email address so an account can be created. However, I can't figure out what to do if they already have an account on my site. I can't check if they already do since I'm not given an email address to match up. This could ultimately cause a user to have multiple accounts.
So, I'm a bit at a loss, and if anyone has any suggestions, it would be extremely helpful.
Thanks! :)
You'll need to store some oauth provider info like {provider, twitter identifier} too to your database and then check twitter oauths based on that instead of the email ID.
The simplest thing to do would be to add a slightly different flow for if the login was via twitter. Ask a first time Twitter login user for the email ID. In your users table, add a column called tw_id and add the users twitter identifier. Next time, if the login is via Twitter, you check the tw_id instead of the provider email and proceed with the normal app flow.
I am new to linkedin api. I have a doubt regarding the api.
I am integrating the api in my application, so different user have to register in the linkedin to get the data using that api? Can it be pre registered and the user can get the data whatever he wants.
Suppose user wants to search about company. He will type the company name and will get the names of the company related to search. He should not log in in linked in before searching.
Is it possible?
If you are using the JavaScript API, then yes, you may need to have the user log in each time as the JavaScript API's authorization is cleared every time the user closes their browser.
If you are using the REST API, you can store the user's OAuth token and use that to make the calls on behalf of the user, saving them having to sign-in each time.