I'm currently using OpenID to allow users to login to my website using Google as a provider. I'm thinking about allowing users to use Facebook to login as well. When a user logs in with Google OpenID, Google sends the following data to my website about the user:
Full name
First name
Last name
ID
Gender
Language
Email address
I've done some quick searching, but I can't find a list of attributes that Facebook would provide with an Oauth login. What data does facebook provide by default, and what additional data can you ask for?
Here's the list of what I get when accessing https://graph.facebook.com/me:
id
name
first_name
last_name
link
username
about
work
education
gender
email
timezone
locale
verified
updated_time
If you look at https://developer.facebook.com they have a bunch of tools which let you poke around and test URLs.
Check out the Facebook Graph Explorer tool: https://developers.facebook.com/tools/explorer/
By default, this tool let's you query the Facebook graph with default permissions.
There's a button labelled 'get access token' which gives you the option to generate access tokens for every possible combination of Facebook permissions. You can then query the Graph with any set of permissions and see what data is available.
Related
So I am having some trouble figuring out how to implement a sign-in for my app using google oauth. Every example I see shows how to authentication the user, get their permissions and then start using the Google APIs.
I do not care about permission or using Google APIs. All I want to do is have the user sign-in to my app using google oauth instead of having to implement my own authentication system with user and passwords in the database.
After the user authenticates with their google account, then they can change settings associated with their account for my app. What is the flow i need to implement to achieve this?
How would I associated a google user with certain data defined in my own app's database? I have successfully implemented the authentication part but then what would I need to store in my DB to associate them with their actions and data. Would I need to use sessions? and then retrieve their Google+ ID, save it in the database and then use that to identify them in the database for later when they log in again?
any help is appreciated
Once the the server validates the access token, a user account can be created in the database, saving the Google ID along other user details (ID, email, name etc).
If your application also supports normal registration, and an account is already present for that user (matching email), then you can just fill in the (nullable) Google ID column in order to link the account(s).
I am working on Google OAuth for user to sign up(asp mvc application), I want to retrieve the user's family name and given name once they authorized the permission for my app, But if the user hasn't enable/join Google Plus, the call back api return me empty family name and given name, if use have Google Plus enabled, then I can get their family/given names,
So, Here is my question, is it possible getting google user's family/given name through OAuth without user have to enable Google Plus ?
var loginInfo = new ExternalLoginInfo();
loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
LoginInfo have family/given name properties but they are empty string.
Many thanks!
so happy I got the solution now, the solution is to add the specific scope(https://www.googleapis.com/auth/plus.login) in the request to google oauth, then if the user's google account hasn't got google plus enabled, it will prompt user to create google plus profile first then accept you app to access the user's google account/plus information.
google oauth ref:https://developers.google.com/+/web/api/rest/oauth
I am currently developing an app using the Google places API..
https://developers.google.com/places/documentation/
I want to use the Events methods, so that a Place/Business owner can add events..
https://developers.google.com/places/documentation/actions#event_intro
However I obviously need to restrict it, so that only the Business owner can create events for their Business. Is there anyway of authenticating a user via a Google api, to confirm that they are the Place owner? I looked at Google+ however there is no reference to any 'Places' setup by that user in the people request.
Looks like this is possible now. The workflow would be the following:
Your user triggers a places search and selects a specific place in the result
Your user selects an option in your app to claim they are the owner of your place
Your user is redirected into an OAuth flow to Google Places where they login with their Google credentials
Once authenticated, your app is provided with an OAuth token for the user
Your app submits that token along with a Place reference to a Places API owner verification service
The Places API returns a yes/no as to whether the user concerned is the verified owner of the Place
Source - https://code.google.com/p/gmaps-api-issues/issues/detail?id=3894 - comment #3
Enjoy!
In Facebook API:
"When a user allows you to access their basic information in an auth dialog, you have access to their user id, name, ...
To get access to any additional information about the user or their friends you need to ask for specific permissions from the user."
So basically Facebook allows for use of the API with restricted permissions by default, and then it specifically asks for all sorts of permissions you might use.
In Twitter when the user is redirected to the twitter popup on "account/verify_credentials" the popup shows:
"This application will be able to:
Read Tweets from your timeline.
See who you follow, and follow new people.
Update your profile.
Post Tweets for you."
It is basically giving me permissions that I don't need right off the bat and it might drive the user away from giving me such permissions (I wouldn't blame them)
Is there a way to get restricted permission (such as user info, and that's about it) thus show less items the user is allowing me to do in the popup ?
Sign into https://dev.twitter.com/apps, select the application, and switch access to read only on the settings tab. This will remove the Update your profile and Post Tweets for you permissions. The first two permissions are always present with Twitter OAuth.
Im adding facebook one-login to my website. Just wanted to get some feedback from people who have already implemented it.
At the moment im allowing user to login to my site using fb:login, providing they have a valid account on fb and login successfully, if the same email address thats returned from fb matches my email address I hold in my own database, they will automatically be logged in to my site.
The problem I have is, im finding hard having just the email as my main authentication between the user and the my site. For those who have already implmented this, could you please share some of you loggic (theory) on how you autenticate the user when you're logging them onto your site.
I had the same problem than you. I had users in my database with their name and email address and I wanted to add the Facebook connect plugin.
Now, on the login page, I let users choose between standard and Facebook login. If one choose Facbook login I retrieve his Facebook ID with the Facebook PHP SDK (see on github) :
$facebook = new Facebook(...);
$id = $facebook->getUser();
If I have this Facebook ID in my records, I log the user in.
If not, I retrieve his email adress :
$profile = $facebook->api('/me');
$email = $profile['email'];
If I have this email in my database, I store the facebook ID in that record (for the next time) and I log the user in.
If not, I create a new record with the Facebook ID and the email. After that, the user can set a password in his settings to be able to log in with the standard login (without Facebook).
You may want to check the example of the Facebook PHP SDK out to better understand how the flow works.
Hope that helps.
I have also done this. I have now understood that you do you want to match the email address that if user changes his email address you want to update it. Its simple solution is that store the user information in your database. What I have done, I store the user profile id returned by the facebook as user name and by converting into md5 I store the same profile ID as password and email adress returned by the user. Now every facebook user has its unique id in my database. Whenever user comes to my site and logins with facebook, There are two cases
1- I compare the profile id with my database and if record found I always update the email address in that particular field returned by facebook.. Now I can have the latest email address of the user. 2- if the user is not in my database then I insert the record by applying the above method.
Hope it will help you