My question is almost the same as this one, but I can't find the answer there.
I just want to show my Facebook albums on a PHP page.
I know that for my site to access a Facebook user's info, I need an Access Token. As the username and password will always be the same, I'd like that my site (or app) could send these informations directly to Facebook and get an Access Token, without any user interaction. I've read this process as a OAuth Username and Password Flow.
Is it possible with Facebook?
No, I do not believe has an OAuth Username and Password Flow.
Each flow by Facebook requires the user to manually grant the app access.
Related
What I'm trying to do is basically have a system that allows people to post to Tumblr via this website using Tumblr's API. I think it would work something like:
Get the user to grant our application permission on Tumblr; get the token and secret from Tumblr.
If this user has never authenticated before, store the OAuth token, OAuth secret, and the user those belong to in a database.
If the user has authenticated before, check the OAuth token and secret that Tumblr just gave us against the ones already stored in the database to re-authenticate this user.
So, do I need to re-authenticate with OAuth on every single page? Or in other words, I need to contact Tumblr every time the user loads a page to make sure they're still the person they say they are?
I am always reading about Facebook and Twitter logins for someones website.
The integration using one of theses services is okay, but my questions is how can I access both API´s for one user.
Example:
User is logged in on my website (active session). Now he somehow has to grant me access to his user details etc. on facebook AND twitter. How do I realize that? I don´t want him/her to type in his facebook or twitter credentials everytime he logs in to get his access token (oAuth).
How do I get my own oAuth user access token after using my websites login, so I can interact with Facebook and Twitter´s API.
Is this correct?
Thank you very much, if you can help me.
Facebook
When someone logs into the Facebook account, they stay logged in until they actively log out.
The way to test for this is:
FB.getLoginStatus(function(response){
if response.status === 'connected'{
// The user is logged in
var access_token = response.authResponse.accessToken;
// Do whatever you need to do
} else {
// Get the user to log in
}
});
See here for more details:
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
Twitter
The process is a little more complex for Twitter, but if you only want to display tweets, consider Web Intents.
Otherwise, follow these steps:
https://dev.twitter.com/docs/auth/3-legged-authorization
Both platforms have the ability to check whether or not the user is logged in first, so you shouldn't have to worry about someone having to log in every time they use your site. However, you cannot use the same oAuth token on both sites - you must get a separate one for each.
Each individual API will need a popup to authenticate, which will redirect to the appropriate api for authorisation, and then once you have the token after the authorisation redirects back to your popup.
You will then end up with a token that you can pass back to the calling page "window.opener" and store the token for that api in a Javascript variable by alling a Javascript funcation on the main page.
window.opener.getInstagramData("self", oauth_token);
Each authentication needs to have its own token and needs to be a button that the user should click on.
I am using this method to get Facebook, Twitter, LinkedIn Foursquare and GooglePlus account info.
Hope this helps.
I've set up a facebook login for my site, using the faceboko php-sdk example.php method. It's working fine, but I want a user who has already allowed my site once to be automatically logged into my site, if they're logged in facebook.
Currently, if a user who has previously 'allowed' my application visits my site while logged in with facebook, they need to click login with facebook, then they are redirected and logged-in. Even though after that click, they don't need to provide any credentials or anything. Thus I would just like this step to be removed and for a user to be automatically logged in.
I hope that makes sense. Thanks
This is discussed on their site.
http://developers.facebook.com/docs/guides/web/#login
Facebook Platform uses OAuth 2.0 for
authentication and authorization.
While you can add login to your site
using OAuth 2.0 directly (see our
Authentication Overview), the open
source JavaScript SDK is the simplest
way to use Facebook for login.
[...]
In order to log the user into your
site, three things need to happen.
First, Facebook needs to authenticate
the user. This ensures that the user
is who they say they are. Second,
Facebook needs to authenticate your
website. This ensures that the user is
giving their information to your site
and not someone else. Lastly, the user
must explicitly authorize your website
to access their information. This
ensures that the user knows exactly
what data they are disclosing to your
site.
http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
By testing for the presence of the
session object within the response
object, you can be sure the user is
known to your application and you can
begin to make further calls to the
Facebook APIs. If the session object
is not present, the user is either not
logged into Facebook, or has not
authorized your application.
http://developers.facebook.com/docs/authentication/
Check the client side flow section to see when you get the authentication token you need to be passing around.
If the user is already logged in, we
validate the login cookie that we have
stored on the user's browser,
authenticating the user. If the user
is not logged in, they are prompted to
enter their credentials
I want a PHP script that
logs into facebook with userid and password.
posts on the wall of a page.
Logs out.
Is it possible?
I am using php-sdk to post on the wall right now. But for that I have to log into my facebook account from the browser.
It violates facebook developers TOS.
The only possible way to authenticate user - is to use regular API and regular authentication form.
UPD:
You could ask offline_access permission from the user. After that you'll have permanent tokens and will be able to post any time you want.
I am new to oAuth and looking to build a web application using Twitter (oAuth) to authenticate. There will be no other login method other than via Twitters oAuth. I am looking for advise on best practice to secure the site based on tokens. Here is my plan:
User is taken from my site to authenticate via Twitters site
Generate Access token for user
Get the users unique Twitter id via Twitter API
Do a user lookup in local db with this id and locate access token if available.
If no user, create new row in user table and save against the user. If user found, update access token agains the user record.
If the user is found, md5_salt the twitterid and set as a cookie.
If the user re-visits, lookup user based on cookie
Does that sound like a secure approach or is using the md5 twitter id a bad idea?
Appreciate any comments.
Without knowing exactly what your client/consumer application is doing, it is hard to tell whether this approach will be "secure".
One problem I see, is that once you have an access token from twitter, how do you identify your user if the cookie gets deleted? Or would you require them to get a new access token? This would mean that they would have to both login, and authorize your application each time.
Also, an access token for one user of your app. can be stolen and used by another user of your app. since it works just like a password AND you have no authentication on your side to verify your cookie saved access token.
To answer your question then, I would have to say that using oauth as the only authentication provider, no matter how you do it, is not a best practice.
In order to be secure both the client (consumer) application, and the server (provider) application, need to verify the identity of your users. The easiest way to do this is with a username and password which are stored in your users head, and not on file somewhere...