I have been looking for information on how to authenticate to the facebook api without a login button and haven't been able to find anything. Essentially I want to pull data from a static user (I don't want to pull information about every person that visits the page specifically, I want to pull information from a specific user account).
I want to convert the feed I retrieve into an rss feed, or an ATOM feed for my client to display in their website.
Is there any information about how to authenticate in this way?
An example of info I would want to pull would be to pull the wall posts from their facebook account and display them as a feed.
No matter what you do, login button or not, you will have to have your user Authenticate with your application in order to retrieve any sort of data.
The easiest way to do it is to use either the facebook login button or use the Javascript SDK and do something like this...
FB.login(function(response) {
if (response.session) {
if (response.perms) {
// user is logged in and granted some permissions.
// perms is a comma separated list of granted permissions
} else {
// user is logged in, but did not grant any permissions
}
} else {
// user is not logged in
}
}, {perms:'read_stream,publish_stream,offline_access'});
http://developers.facebook.com/docs/reference/javascript/FB.login/
Then once you get the user authenticated you can grab the cookie that is created by doing
<cfscript>
var fbcookie = cookie.fbs_YOURAPIKEYGOESHERE;
</cfscript>
There is more info on the cookie here...
http://jcreamerlive.com/2011/01/12/facebook-and-coldfusion/
From there you can use the javascript FB.api and do FQL queries http://developers.facebook.com/docs/reference/javascript/
Or you can use cfhttp posts to the Graph API
http://developers.facebook.com/docs/reference/api/
Have fun!
You need to authenticate the app using oauth2 method with a offline_access permission. You will get an access token that does not require user login to access to the account.
I give a more detail and links to the relevant fb documentation pages in this answer:
Is it possible to do Server -> Facebook authentication?
Related
I am writing an App and am trying to leverage Google for A&A. The app itself relies on access to the users Google Calendar, and so initially I leveraged their updated OAUTH2 library for A&A.
Here is my flow:
User goes to the index.html which has "https://accounts.google.com/gsi/client" script and google.accounts.oauth2.initCodeClient is called with my client_id, scopes, redirect url
<script src="https://accounts.google.com/gsi/client"></script>
<script>
let client;
function initClient() {
client = google.accounts.oauth2.initCodeClient({
client_id: 'xxxxx-xxxx.apps.googleusercontent.com',
scope:
'https://www.googleapis.com/auth/userinfo.profile \
https://www.googleapis.com/auth/userinfo.email \
https://www.googleapis.com/auth/calendar.readonly \
https://www.googleapis.com/auth/calendar.events',
ux_mode: 'redirect',
redirect_uri: 'http://localhost:5000/oauth2callback',
});
}
// Request an access token
function getAuthCode() {
client.requestCode();
}
The user clicks the login button, which kicks off requestCode() and they begin the login flow. They login or select their google account, then besides the unapproved app screen, they get to the consent screen with my requested scopes.
After, they are redirected to my expressjs endpoint and using the "googleapis" library I exchange with id_token for the access and refresh tokens.
...
const { tokens } = await oauth2Client.getToken(req.query.code); //exchange code for tokens
const userInfo = (
await oauth2Client.verifyIdToken({
idToken: tokens.id_token,
audience: config.google.clientID,
})
).payload;
if (!indexBy.email[userInfo.email]) { // check if user exists
const newUser = {
name: userInfo.name,
email: userInfo.email,
o_id: userInfo.sub,
picture: userInfo.picture,
r_token: tokens.refresh_token,
};
...
Ok, all good.... but not quite. The problem is, that next time the user wants to login to the app, they go through the entire flow again, including the consent screen (again).
So, after going through more docs, even looking at examples from google. I was surprised and I noticed that many of those apps used the passport oauth2 plugin :( Something i've done in the past, but was hoping to avoid that with the recently updated Google client and nodejs libraries.
Ok, how to not prompt for consent screen on subsequent logins?
Maybe separate A&A, so first I use "Sign In With Google" for Authentication, then when I get the user info, check if the user is already registered (hence I have already saved the refresh token) and they start the app.
On the other hand, if they are new (not in existing app user collection), after authenticating, I will then call the OAUTH2 authorization redirect, so again they on Googles site, this time to do the scopes api confirmation.
So, first question, is that the best practice with most apps with leverage a Google API via OAuth? To first Authenticate, then possibility Authorize (as needed). Hopefully this will still work ok when things come up with expired/invalid refresh token (fingers crossed the default google library handles that).
When doing the Authorize for consent, can I pass something from the previous Authenticate flow so they don't need to do that again.
Or maybe when doing the Authenticate process (Google Identity Service), there is some flag or param so that if they have already consented, they don't have to do that again on subsequent logins.
Incase I wasn't clear, in a nutshell the question is: should I be doing Authenticate for login, separately from Authorization (oauth2 token). Or should I go right into the Authorization flow, which first Authenticates the user, and can I skip the Authorization consent screens if they've already done that. Or maybe there's another way which is the best practice.
Thanks for your attention.
Background info
Authentication is the act where by a user logs in into a system using their login and password. With authentication we know that the user is behind the machine. For this we use Open id connect, which was built on top of Oauth2. Open id connect returns and id_token which can be used to identify the user, it is often a jwt containing some claims to identify the subject or the user behind the Authentication.
The scope used for open id connect is profile and email. open id connect grants you consent to access a users profile information.
This is an example of the decrypted id token returned by google from a simple call using profile scope only. All this id token is telling you is who the user behind the machine is.
{
"iss": "https://accounts.google.com",
"azp": "4074087181.apps.googleusercontent.com",
"aud": "4074087181.apps.googleusercontent.com",
"sub": "1172004755672775346",
"at_hash": "pYlH4icaIx8PssR32_4qWQ",
"name": "Linda Lawton",
"picture": "https://lh3.googleusercontent.com/a-/AOh14GhroCYJp2P9xeYeYk1npchBPK-zbtTxzNQo0WAHI20=s96-c",
"given_name": "Linda",
"family_name": "Lawton",
"locale": "en",
"iat": 1655219027,
"exp": 1655222627
}
In the same call google also returned an access token. Now my call contained only the scope for profile, due to the fact that its open id connect. This means that I will only have access to the data that the profile scope would grant access to. In this case most of what is behind the Google people api.
Note: The user does not see a consent screen with open id connect, even though they are consenting to profile scope. It is assumed by signing into your account that the system you are logging into would have access to your profile info.
Authorization
Authorization is the process by which a user grants your application authorization to access their private user data. The user is shown a consent screen where they consent to your application accessing data defined by some scopes.
In the case of google calendar api there are serval
https://www.googleapis.com/auth/calendar See, edit, share, and permanently delete all the calendars you can access using Google Calendar
https://www.googleapis.com/auth/calendar.events View and edit events on all your calendars
https://www.googleapis.com/auth/calendar.events.readonly View events on all your calendars
https://www.googleapis.com/auth/calendar.readonly See and download any calendar you can access using your Google Calendar
https://www.googleapis.com/auth/calendar.settings.readonly View your Calendar settings
In this case you are only given an access token this is again Oauth2 it is authorization to access the users calendar data it is not authentication this is not related to login.
Your question
So, first question, is that the best practice with most apps with leverage a Google API via OAuth? To first Authenticate, then possibility Authorize (as needed).
You would do both at the same time.
When you authencation your user make sure to include your google calendar scope then the access token and refresh token returned will grant you access to google calendar.
I am going to assume that you have some kind of user system. When you store the user be sure to store the refresh token that is returned.
As far as Authentication goes i will assume you either have a remember me system which will set a cookie on their machine and remember the user so that you can then get the refresh token from their system the next time they come back.
If they did not chose to select a remember me option then will then have to login every time they visit your site but part of the login will return the "sub": "1172004755672775346", this is the users id on google system so you can use that in your database to match the user when they come back.
Your question is quite complex and will depend upon the type of system you have what it is designed to do as well as what programming language you are using. That being said I hope this very long answer clears things up a bit.
When a user registers at my website I also need to create a quickblox user. I got this procedure to work:
Get a session token from API route "api.quickblox.com/session.json". But to do so I need a user. So I use my own login to quickblox dashboard.
Create the user by hitting API route "/users.json". Fair eanough, it works!
Questions
It feels strange using my own dashboard login as the token generator account. Is there not some other way?
The newly created user can create more users! That is, I created a new token with the details from the just created user, whom in turn was allowed to create further users. This cant be right? What am I doing wrong?
Quickblox chat example available here: http://quickblox.github.io/quickblox-javascript-sdk/samples/chat/# serves the keys and secret in the open, like this:
QBApp = { appId: 46126, authKey: 'Nyc2fwgg8QeFJpS', authSecret: SUv3grsaDMx5'}; Is that the way to do it? Then atleast I would like to control the creation of new users..
Thanks!
Hope you doing well !!
For Quickblox must have manage session for each and every users,you have to download and integrate quickblox SDK into your web app.
You have to follow this steps:
1) Create a app on Quickblox and add credentials into your javascript SDK or configure your javascript SDK.
2) Whenever user is logged-in to you app you must have to login quickblox as well and get session for logged-in user.
3) Do whatever operation with user created session like (chat,viedo call, audio call)
4) When user log-out from your, you have to manage like user also logout form quickblox and destroy previously created sessions.
5) When registering new user you have to also register that user into your quickblox app.
this way you have to manage user management.
hope this will help you.
To create a user with an arbetary session/token this function can be used (for JS SDK)
var params = {login: 'test3', password: '12345678'};
function createUser(params) {
QB.createSession(function(err, result) {
QB.users.create(params, function(err, user) {
if (user) {
// user - JS obejct with QB user
alert("successfully created a user!");
} else {
alert("error!");
}
});
});
}
"The newly created user can create more users!"
After further research I have concuded this is a part of the design and not to worry about. I will add a job to clean up any users created by spammers.
I was trying to link/merge auth providers in Firebase but instead, I was wondering if this work around would give me similar results.
Can I log a user in with the Firebase email & password auth and then on their profile page use the google auth so that I can grab their access token to access their youtube videos?
Then when I set the user I will use their password and email but pass in the google uid for future use so that I can access their videos.
// Updated question with code example
So initially, I was just signing users in with google and passing in the youtube parameters so that I could access the users videos. This is my Firebase auth with google function below.
$scope.authWithGoogle = function() {
var scope = {
scope:'https://www.googleapis.com/auth/youtube'
};
Auth.$authWithOAuthRedirect("google", scope).then(function(authData) {
$scope.loggedInUser = authData;
}).catch(function(error) {
if(error.code === "TRANSPORT_UNAVAILABLE") {
Auth.$authWithOAuthPopup("google", scope).then(function(authData) {
$scope.loggedInUser = authData;
});
} else {
console.log(error);
}
});
};
This just authenticates the user and doesn't store anything in the data..I think. So now I was hoping to implement a login with email and password so that everyone could login even if they didn't have a google account.
I was just wondering if I could authenticate the user with email and password and then once they are signed in use this function to allow the user to authenticate with google and link their videos to their account? Then when I set my user data I can save their access token for the videos so that I have access to them later. I was just wondering if this was a possible work around instead of trying to link email and password with a google account or if it is too hacky.
Ultimately if I can log in a user with email and password and then link their google account once they are signed in that would be the desired behavior I am going for but I just haven't been able to find how to do this.
On Firebase Authentication, a user can be signed in to only one identity provider at a time. So they can be signed in to either email+password, or google, in your use-case, not to both.
It is possible to have the user sign-in to Google authentication without using Firebase Authentication and then associate the two yourself. But since this is not built-in to Firebase, there is no documentation on how to do this.
i am using this link
https://api.instagram.com/v1/users/[user-id]/relationship?access_token=[ACCESS-TOKEN]
in the above link user_id is the id of the person to whom i want to follow and Access token is created for my app in instagram developer site.
and it give response like
{
"meta":
{
"error_type":"OAuthPermissionsException",
"code":400,
"error_message":"This request requires scope=relationships, but this access token is not authorized with this scope. The user must re-authorize your application with scope=relationships to be granted write permissions."
}
}
i searched on internet and some one told me to add scope=relationships while creating access token i don't know how to do this..
Simple Words
Follow a Instagram user on click of a button .
scope=likes+comments+relationships+basic
use it then you are trying to login
"To request multiple scopes at once, simply separate the scopes by a space. In the url, this equates to an escaped space (“+”)."
https://instagram.com/developer/authentication/
I'm trying to make a check for a specific user logging into Instagram and approving an app I've created. Is this possible?
Example flow :
User comes to my app
User clicks login/authenticate via Instagram
User logs in (or check is made if user is logged in via Instagram)
User is redirected to my app's callback URI.
When the user gets back to my app I would like to be able to check which user has authenticated - is this possible? At present I'm only able to get an access token.
Thanks for any help.
I've actually solved this by using the server-side flow mentioned in the API documentation (http://instagram.com/developer/authentication/) which gives me back a response including the details of the user logged in if following the extra step (code->access_code application, etc).
I also figured out what you mention above too, so both ways are good.
Thanks for you help.
The information is not directly returned to you in the OAuth process, but once you have the access token you can load user information using the https://api.instagram.com/v1/users/self/?access_token=XXXX endpoint. That will give you data about the currently logged in user (including ID and username)