I currently use the Facebook JavaScript SDK to retrieve the e-mail address of the current logged in user in Facebook. So a user clicks Log-in, their email address is displayed in a form field, then they either register or log-in (if they have previously registered).
I have been asked to make it so clicking "Log-in" actually logs them in to the site automatically. I do not understand how this is possible as currently to log-in you require a username and password.
Do I need to actually insert a user into the website's backend?
Not sure if this is allowed but www.dealdash.com is an example of what I need. If you click Log in in the top right of the screen then Sign in with Facebook - it asks you for permission and then afterwards you are logged in.
I found this graph once, that was very helpful.
Related
HybridAuth Facebook Login - Permissions
After login it never asked for user approval, instead it redirects to the website with the user profile.
Example: After login it supposed to ask the below message.
(source: akamaihd.net)
What settings I need to do to display user-approval (like above confirmation) before retrieve user profile and redirect to website. It asked one time when I started testing.
You dont need to set anything to get this dialog. It's by default and is opened if a new user tries to authenticate the app. Since you have already authenticated the app, it's not shown the next time (why should it be right?)
You can try removing the app from your applications and then try to login, you will see the dialog again OR change the set of permissions your app is asking, you'll see the dialog in that case also.
So, the auth dialog is shown only once to a user unless the user removed the app or any new permission is added in the scope.
I created a web app that allows users to connect their google calendar using OAuth2. And so far everything is working the way I've wanted it to be. Now my concern is, when a user clicks the link to authenticate his account, I want it to forcefully redirect to the google login page. Right now, when he clicks the link and his google account has an on-going session in that specific browser, the login page no longer appears. Is there a way to do that? Thanks.
If you set the parameter approval_prompt to force, you should be able to forcefully show the auth screen every time. More details about this parameter are documented here.
the only way to do that is to force a full logout from that client (browser, app, etc). You can do that by using:
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue= and add the redirect as "continue" parameter.
This will logout from everywhere so the user might not be happy if he/she didn't do that on purpose.
I would go with asking for permissions again if you want to make the users "feel" like they are actually login into your app again (i assume that why you want this approach).
Google also has a "switch user" option, but I haven't use it and it's really hard to know if the user will be asked for user and pass or the user will be automatically authenticated because he/she is already logged in another tab in the browser.
I've managed to have an user sign in for my website through Facebook. It works this way:
User goes to my website and chooses to sign in with Facebook
Users goes to Facebook to authorize my app
If the app is authorized, the user comes back to my website and gets registered into my database
The user remains logged in via a cookie set by my website
I store these pieces of information from Facebook: username, email and ID.
What should happen if:
User logs out from Facebook and is still logged into my website? I still have that cookie and session that lets the user remain online, so even if the user isn't logged on Facebook, my users still can benefit from my website. Is this behavior normal or should it be avoided?
An user removes my Facebook App from his authorized apps list? The user is now part of my database, but the user removed the app from his account. How should I deal with this? How can I check if the App->Website connections are still valid for that user? If an user removed the app from his account, should I also remove him from my database? If yes, again, how do I make that check?
There are quite a few other things that are puzzling me and I think I should dedicate another question to those later on.
I'm using Facebook PHP SDK for all these tasks.
P.S: I only use Facebook as an authentication method for my website, nothing more.
To answer your question here are few things we do for the facebook connect
If user choose to create an account with the FB connect, we grab the
details like firstname,lastname, email, fb_userid and then save to
our database.
If the same user when comes user has to click on the FB login button and we check in our database if the API return fb_userid is in
our database and process the login and give access to the user pages.
So ideally we never store the fb_userid in the cookie and next time if the user comes just do the autologin.
Now what if user remove the app from FB, since we do not allow auto login by cookie saved data the user must click on the login button and then re-authorized the app. Since the fb_userid is already in our db, we detect the user after giving permission and let them login.
We have one advantage in our case , i.e. our web app requires monthly subscription so user has to pay for that. So usually people who do want to continue they come to our web site and cancel the account, we then remove the user info and that way fb_userid is also removed at our end. This makes us not to worry what if user remove the app from their FB, since if someone has to cancel they will do it from our website since they are in monthly recurrent billing.
I suppose in your case its not as above point, so you can do the following without violating any terms and conditions
Do not store the session in cookie and make user login with FB button
each time they come to your website. Also make a small note on your
website next to FB login button as "what is this ?" as may be a tool
tip and mention that the website will store the users fb_userid and
this will not be shared with any 3rd party.
Also mention that in case they remove the app from their facebook the id will be still there in our database and create
a cancel account page where user can cancel the account, but that
needs the user to be logged in. Once they cancel the account remove
the FB id from your DB.
Finally I dont think any API call could be used to see if the user has removed the app for offline users, but people who have logged to your site using the FB connect different permissions could be checked as
$permissions = $facebook->api( "/me/permissions" );
If the app requires Facebook, then you need to test the cases you mention and generate appropriate error messages. Beyond that, you just provide obvious ways for your user to clean up, like a working uninstall command.
I want to update my site so that it can be linked to facebook users. I have a database and use mysql for the original login system. I now want to replace that with facebook. Thing is i want to still run my checks, i dont just want any facebook user to log in, only ones that get entered into the database. The only way users can access to my site is with a .edu address. How would i incorporate this along with the facebook plugins? Facebook has two options for the login-sytem, JAVASCRIPT or Server-side scripting. I just want to know the best practical way of doing what i want to do. Thanks
You have to do a 2-step login process then. First, validate the user's address (.edu or not), then Login with facebook. Not a good design, but both needs to be separated.
I hope following step will be helpful to you
Go for Login With Facebook
Take Extended Permission from User (email,read_stream).
Once you get Permission from user get user's facebook id using getSignedRequest() or FB.getLoginStatus.
Get user's information using graph api (i.e. https://graph.facebook.com/btaylor)
Get email id from response and check for valid user email (.edu).
If email Id is not .edu (Destroy user session and show invalid message)
I have a problem of thinking of how to integrate 3rd party login (also do silent register) on website where already is used regular login/register system.
Basically current login is quite regular:
As user enters website session
class determines if he need to
re-login.
When user login all kind of sessions and cookies are set and
user get access to restricted areas.
Users table in mysql has quite a lot fields also password fields.
What i wondering is how you create user entry in the same database table if it's not there and do full (silent) register for that facebook user.
Well i'm not sure what you mean by silent register, but you can simplify your regular signup process if the user is connected to Facebook.
This is what we do:
When a user comes to our website (unauthenticated - no cookie set in browser), we check to see if this user is connected to Facebook
If the user is connected to Facebook and has connected before, we "sign them in" to our website
If the user is connected to Facebook and has not connected before, we do a call to the Facebook Graph API to grab some user details (name, email, etc), redirect the user to our signup page and fill in most of the details using the Facebook info we just received.
We have a seperate database table for Facebook users - we store the Facebook Unique ID and the user's email address.
The email address is very important - this is what we use to perform a single sign on, as the user's Facebook email address should match the email address for the website.
OpenID is a safe, faster, and easier way to log in to web sites.
:D
use open id ...
there is many lib in this address http://wiki.openid.net/w/page/12995176/Libraries
each user can login with user in facebook and gmail and you must give each user id and relation models for access
I am also new to this but got some idea how to do and i would like to share it.
You can use the Javascript API provided by Facebook, Google+ etc to make login into the site. The API has in-built methods which invoked for authentication and pulling data from the user's account(which is customizable what user data to pull). In between the javascript code you can write ajax call to your server script with user data(got from the third party server) for making the user signup or login into your system, what ever want to do.
Yes the configuration of all these are bit headache :-(