We are currently introducing facebook and twitter login functionality for our users both on our website as well as mobile app.
The current issue I have is with facebook tokens, I have noticed that when a user tries logging through facebook the token returned on my website and mobile app are different.
What is the best way to manage these tokens to prevent duplicate registration of users. Each user when logs in creates a basic profile in our database which is linked to the access token. I also use offline_access permission.
Now when this user uses the mobile app a different token is returned and a duplicate profile may be created. How do I prevent this situation, I need the same profile to be detected on the website as well as mobile.
The way you do it is, don't identify users by their access tokens, but by their Facebook user ids.
Just GET https://graph.facebook.com/me?access_token=ACESS_TOKEN and you will be returned the basic information about the user, which includes their Facebook user id.
Just like what Julio said, refer this question for more information. You should use the generated token to verify fb user id
Devise Omniauth and Iphone/Android App
Related
I have a web application setup to handle webhook requests from an Actions-on-Google/Dialogflow application using the Google Assistant. Users don't need to sign-in to a google account in order to use my web application and I'd prefer to keep it that way, so that users can sign in with any email address.
I also want my users to be able to interact with my application using the Google Assistant, and be able to access personal/contextual data via the assistant (i.e. when a speaker says, "what's on my shopping list", the web app needs to be able to know what my means).
Currently, I have this working by using my web app to issue a unique short code to my user (in the web app UI) and then with an intent on the Assistant where the speaker says "My code is 1-2-3-4" and then my web app can identify the user from then on (by saving the userId from the webhook request to whatever user got the short code 1234 and then using that userId to lookup the user on each subsequent request.)
My question is, is there a better way to do this? Ideally, in my web app, I'd like to have something like an "Authorize Google Assistant" button, which would then link the user's google account to their web-app account, so that the conversation on the Assistant is seamless.
Has anyone done this before?
Thanks
This is the perfect use case for Account Linking with the Google Assistant.
From your users' perspective, they will start to use your Action. If they're doing so through a speaker and they haven't linked the account yet, they'll be directed to a mobile device to do so. On a mobile device, they'll be redirected to a page on your website where they will been to authenticate themselves and authorize your server to let them in through the Assistant. Once they have done so, they won't need to log in again, the accounts will be linked, and they'll be able to use the voice Action without further obstruction.
From your perspective as a developer, you'll need to setup an OAuth2 server (I suggest the code flow). That login process I mentioned is the first step in the OAuth dance, and will end up with you issuing a code to Google. They will then exchange this code for an Auth Token (with a limited lifetime) and a Refresh Token (which does not expire). They will periodically use the Refresh Token to get new, valid, Auth Tokens for this user. When the user issues a voice command, the Auth Token will be passed as a field in the JSON to your fulfillment server, and you can use this to verify who the user is and that they are authorized to use your service.
I have searched long and far for this on Google Identity documentation but my question seems to be out of it's scope (https://developers.google.com/identity/protocols/OAuth2).
This is what I have:
I have an app that is using Google's PHP Client library to authenticate a user via oAuth2. My application stores the retrieved token & refresh token from a user. I am able to use this token and refresh token to pull in information from various Google API's (Drive, Calendar, Mail, etc). I am also storing a cookie in browser to keep the user logged in to the application when the user closes the browser. I have created a simple way for users to login to the application via a QR code that matches up their stored token and refresh token. After the first login they are able to simply use a badge to login to the application.
This is what I want but don't know how to do
When a user logs into the application with their QR badge everything work perfectly (I am still able to pull in anything via the PHP Client Library/Google API's), however when a user goes to Gmail, Drive, or other Google service, Google is asking them to login (it's because they are not technically authenticated with accounts.google.com (only my application)). Is there a way to programmatically authenticate a user to accounts.google.com via a stored token/refresh token?
I was searching for a proper way to implement authentication of users with Google accounts into an app I'm developing. One thing led to another and I found this:
https://github.com/thephpleague/oauth2-google
They have a few implementations depending on how you may wish to implement OAuth2 (via separate repositories). I believe this directly answers your question, albeit 3.4 years later. Hopefully it will help someone else who is looking for this info.
My app was rejected by Apple because "Login via Facebook" opens the Safari app, because I am using UIWebView for Facebook login, which is working fine. I am getting the access token as well.
The problem is I also need user information like user ID, email ID, user name etc. because I need to save it on my server.
How do I get the logged-in user's info when I have the access token?
Have you read the FB iOS documentation?
https://developers.facebook.com/docs/reference/ios/current/
There is an API called FBRequest which can retrieve various information or the Graph API can be used to obtain stuff.
How to integrate FB login with an iOS app is fully documented with example projects.
Twitter API allows to update "the authenticating user’s current status", as explained in the documentation page.
What I'd like to achieve instead is to update another user's current status. Consider a magazine's twitter account. I'd like different people to be able to update the magazine's status. Tweetdeck allows this, but it also allows a whole lot of other things like access to Direct Messages. I only want to provide certain authenticated users an interface (similar to Twitter's post-a-tweet interface) to post status and images to the shared account.
I could not find a simple explanation of how to use Twitter API to achieve the above functionality. Could someone please help?
If you have an app that implements the status update API and it is delivered to different people and they authorize the app with the magazine's twitter account, then the app will update that status. I can show an example also with code if this is what you're asking. However the main point is that, once a user has authorized the app, she/he doesn't need to be connected with the shared login any longer because the app will do that on the magazine's behalf.
BTW, similar question here: Twitter API: post on behalf of whom?
Edit
Just to summarize the comments:
The standard OAuth authentication requires the following main steps
1) to develop an app (registered with OAuth consumer key and secret) that implements the API update status 2) to install and authorize the app: during this step the onwer will be requested to enter the credentials of the passive account in a Twitter link opened with the browser, 3) then - after a fallback - the app will store the access token and any user of the app will be able to update the status without login
Once you have developed an app that can post tweets on behalf of a passive twitter account using the standard OAuth, you could make that functionality available to the authenticated users of a website.
Several month ago, before FB restricting the ability of a Page Account to create apps, I have created an application and linked to the page.
Now I cannot access anymore to the developers page with this account. I had to create a new app with my personal account, but I can't find a way to remove or unlink the old app from the page.
I cannot create a new page, as a result of nearly one year of activity on the current page, and trying to link the new app to the old page I get an undefined error.
We are in a sort of limbo...
Anyone has an idea on how to solve this situation?
I'm assuming you mean 'business account', not Page?
If so, and you're still able to log into the business account to manage your ads and pages, you can authorise your app by manually calling the Oauth dialog with the client-side Oauth flow, then use the access token (which will be for your business account, the admin of the app), to add your real user account as an additional admin
https://developers.facebook.com/docs/reference/api/application/#roles
You can define a role for a user by issuing an HTTP POST request to
APP_ID/roles with a user access token for an administrator of the app...
So a call to https://graph.facebook.com/<APP ID>/roles?user=<USER ID OF REAL ACCOUNT>&role= administrators&access_token=<ACCESS TOKEN>&message=POST will add another admin