I am having a problem obtaining the twitter users access token and secret token without sending a username and password. I would like to get the access token by just sending the twitter_id, once the user has already authenticated my application before.
So the scenario is:
A user logs into my site (using custom login), he already gave my application permission to read/write his tweets. Now I need to load this users access token and secret access token.
Database:
CustomUID : 1 , Twitter_ID: 123456.
So Since I know CustomUID 1 is logged in, I need the access token/secret from Twitter_ID:123456.
The Problem is I canĀ“t find an API function that would let me get the access token without being redirect to Twitter Callback function (Twitter landing page), where the user has to type in his/her username and password, once again because the Request Tokens are obtained by the URL.
How can I solve this problem? I am used to the Facebook API, where user which have already authorize my app, allow me to receive their accesstoken just bei sending getAccessToken($ID).
Thank you very much for help!
You have to save, possibly in your DB, the OAuth token and access token after the first time the user authenticates. Then retrieve the token the next time you need to perform a query on behalf of that user.
Related
I have set scopes as follows:
openid profile
offline_access
User.Read Mail.ReadWrite
Mail.Send
Calendars.ReadWrite
Contacts.Read
I want a permanent access token so that I don't need to login again and again.
Help me out, how can I use a token in the login api to get permanent access?
Thanks in advance.
Graph API provides two authentication flow:
1. Get access on behalf of a user
2. Get access without a user
If you want to run the Outlook API in background service(not all app need user signed-in, based on actual demand), you can use the authentication flow #2. By using this way, end user do not need to request Token explicitly, so it look like permanent access token, until the Microsoft/Azure need the admin consent again.
If you want to run the Outlook API just for signed-in user, you can use the authentication flow #1. After get an access Token, store the access Token and Refresh Token in the Token-cache and use the refresh Token to request new Token while the access token lifetime expires. If both access/refresh token have expired, the user need to sign-in again to re-grant permission.
I am using the facebook JS sdk to login a user. These are the steps that I follow:-
1) I use the FB.login(...) to get the details of the user.
2) Now, after receiving the details from Facebook, I send a POST request using jQuery's $.post(..) function to a php page say FBUser.php with the parameters - name,uid(Facebook User Id),email and access_token for publish_actions.
3) Now in the FBUser.php page, I do all the stuff like converting the short-lived-token to long-lived and then I check that if the uid received is present in my users table. If it is not, I create a new user, else I log in the old user. Today, I just realized that I was making such a big security compromise because anyone can send a POST request to the FBUser.php page with a uid of an existing user and get access to his account. But, on the other hand I am sure that some big websites also use the JS SDK. So obviously, I am wrong somewhere. What would be the correct procedure to log in the user securely and preventing his account getting hacked?
You should match the app and user id first, then you should check the access token, like this:
graph.facebook.com/debug_token?input_token={token-to-check}&access_token={app-token}
You can get the app token from https://developers.facebook.com/tools/accesstoken/
You can get the uid of the user using the access token that was sent to you, by using this token to access Facebook graph and query "/me".
You shouldn't relay on the uid that is sent by the client. My application only receives the access token and gets the rest of the data from a server-to-server call.
i use open graph for access member to register and login with facebook account in codeigniter, and i have idea to create automatic password with access token for every user, but i dont exactly know is it access token facebook is static or will different every time user access with other IP or something?
Thankyou
The access token is valid for 2 months (if you request an extended token, otherwise only a few hours). It will remain the same until the user deletes the app from his/her account or changes his/her password. Then you need to re-authenticate by sending the user to FB again through your app.
IP address does not matter.
I'd just like to ask about a problem I'm facing with Facebook Graph API.
I've connected to Facebook successfully, stored the user ID, and user access_code into my DB
Now when viewing the site I'm building, it's using the access_token stored in my database, but doesn't show my facebook statuses....because the "session has expired"....
Is there anyway I can regenerate the access_token?
Thanks
Example:
$status = 'https://graph.facebook.com/'.$userId.'/statuses?limit='.10.'&access_token='.$app_token;
User access tokens last only 1-2 hours. There is a technique to get a 60 day token for your use. It is explained here: http://dominicminicoopers.blogspot.com/2012/03/facebook-access-tokens-and-offline.html Remember to get this extended access token prior to the short-lived access token expiring. You must pass in a valid working user access token to pass to it. Do this serverside, not clientside because you have to use your app secret.
https://graph.facebook.com/oauth/access_token?
client_id=[APP_ID]&
client_secret=[APP_SECRET]&
grant_type=fb_exchange_token&
fb_exchange_token=[EXISTING_NON-EXPIRED_USER_ACCESS_TOKEN]
Remember to ask for the user_status permission when prompting the user. See: http://developers.facebook.com/docs/authentication/permissions/#user_friends_perms
You cant regenerate it, but you can get a new one by having the user go through the oauth process again, it will return a new token - https://developers.facebook.com/docs/authentication/
You can try to get a long lived token. That will allow you to access the status even when the user is not loged in.
See here
I've implemented the oAuth in php (currently for twitter) and as I've read in several tutorials you should store the access token in db for future use. However I don't see how you know if you have the access token stored for a particular user to decide if you should pull it out of the db or regenerate it. Here's a flow describing my question:
First time user signs in:
get request token
send user to provider's authentication page
user returns to callback url with oauth token and oauth verifier
get access token
save access token/user_id/screen_name on db for future use
User returns 10 minutes later:
access token is still in server session vars if user didn't log out. else, repeat process.
User returns 1 month later:
get request token
send user to provider's authentication page
user returns to callback url with oauth token and oauth verifier
( at this point I only have oauth tokens, how can I know if the user has previously logged in with twitter and pull their access token from db? )
if it is the user's first loggin, generate access token.
The main workflow for oAuth is clear, however it is not clear how to handle returning users and which data should be stored or not.
A million thanks!
You should not regenerate token for each access. Generate it only when it's expired. I've build twitter application using OAuth. Here my flow:
when user login, I will check if they have token in DB
1.1. If it's not exists, authenticate them and then store and use the resulting token
1.2. If it's exists, use it.
1.2.1. If twitter doesn't complain, then the token still valid, use it.
1.2.2. If twitter complained, then the token is expired. Return to 1.1.
1.2.3. If after x retry twitter still complained. Something wrong, notify admin!
Here's the graphical explanation:
The only thing I believe is missing here, is generate a random (long and unguessable) user id first time the user joins the system, and store it forever. this way you can tell who's taking the actions