I tried following urls and all work:
https://www.facebook.com/dialog/oauth?client_id=%s&redirect_uri=%s&display=popup&scope=%s
https://www.facebook.com/dialog/oauth?client_id=%s&redirect_uri=%s&scope=%s
https://www.facebook.com/v2.5/dialog/oauth?client_id=%s&redirect_uri=%s&scope=%s
All 3 work, the first two ones return simple token results and the last one a json result with the token in it. I just use a webview and let the user login to facebook via the webview. All works fine and my app get's access to all data in the requested scopes.
Problem
The required scopes (permissions) are not shown to the user, the user just sees a login window and if he logs in in my app, my app get's a valid token. That's it. This way facebook does not approve my app. I think, the correct login flow should be handled by facebook and if I call the oauth login urls facebook should redirect correctly and only return the token after they have asked the user if he wants to allow the required permissions.
So what am I doing wrong? Why are the permissions are not shown to the user before facebook returns the valid token?
EDIT:
Requirements: NO SDK, because I want to use a common OAuth2 flow for many social networks and cloud services, so I don't want to add the sdk for every single service...
Code
I just call the above urls and follow the redirects until I get a correct answer with an access token, that's it.
RFC 6749 requires scopes be separated by spaces, but Facebook's implementation requires scopes be separated by commas. This violation may be the root cause.
Related
We have used com.amazonaws:aws-android-sdk-cognitoidentityprovider:2.6.8 SDK for username and password based login and register flow. Following the approach mentioned here https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-integrating-user-pools-android.html. Sign up and Login Process is working as required.
For Facebook and Google authenticate through federation, We do not want to use the hosted UI for this purpose and are not using federated identities. We had followed this link https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html.
We have setup user pool with an application client and a user pool
domain.
Setup Facebook as a social identity provider.
Added android call back URL to mobile.
First Approach
We look into CognitoSyncDemo Sample application, It was using federated identity so we had to discard it. We are just using federation in userpool.
Second Approach
We have used the webview and load the below URL. The URL takes me directly to Facebook, after authentication, it returns me back to redirect URL with access_token, auth_type, expires in and id_token. But no refresh token.
URL https://yourdomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?redirect_uri=redirect_app_path&response_type=code&client_id="client_id"&identity_provider=Facebook
But there is a problem using this approach. I couldn't find a way to push the access token to cognitoUserSession in SDK which is managing a user session. So every time I sign up with Facebook (using webview), there is no session maintain in SDK. Hence I am redirected to login view again. How to ensure the Facebook user is authenticated and signed in by cognitoidentityprovider? How to create user session in SDK when getting access_token and id_token?
Third Approach
We tried to use the Cognito Auth Demo https://github.com/awslabs/aws-sdk-android-samples/tree/master/AmazonCognitoAuthDemo. For this, we have to add another library com.amazonaws:aws-android-sdk-cognitoauth. After clicking on sign in, it used to take us to hosted-ui. After looking into similar IOS project, we made tweaks in android library project (com.amazonaws:aws-android-sdk-cognitoauth for android). We added identity_provider in URI for sign in. It then takes us directly to Facebook on chrome tab. After authentication, it set the session in our application. But it has own authentication object which is AuthSession but previously we were using CogintoUserSession for normal sign up. AuthSession is do not have User Attributes and nor offer any get user details or authentication handlers. If we use this approach, then how to link AuthSession with CognitoUserSession and manage user session in the application?
Summary
In short, We had tired AWS samples, it is taking us to web-based hosted UI. We need to authenticate a user via Facebook to userpool using only federation identity provider. We need to maintain session in Cognito SDK without affecting our username and password based login flow. We want to open Facebook directly or on webview in our application on button click, authenticate the user and maintain session in the application using only Cognito SDK.
To connect to user pool i had included aws-android-sdk-cognitoidentityprovider. But if you need to add social sign up, you need to add cognitoauth as well.
Ensure cognito sdk version are same otherwise you might run into complication error.
As per the need of project, i need identity provider to pass into sdk so it could directly navigate directly to my social identity provider page. But current sdk version '2.6.24' didn't provided me with this provision. I had downloaded the android-sdk-cognitoauth sdk from awslab github and included in my project. I alter Auth.java class added identity provider variable in it.
Next step, i alter AuthClient.java method launchCognitoAuth. I place additional condition to check if identity provider present or not. Then i set it in sign in uri.
if (pool.getIdentityProvider() != null) {
builder.appendQueryParameter(ClientConstants.DOMAIN_QUERY_PARAM_IDENTITY_PROVIDER, pool.getIdentityProvider().toString());
}
After making above alteration, i can configure identity provider through my app in auth.builder(). The hack worked, i directly navigated to my provider page. After authentication, sdk set session it self.
To sum up, I found difference between android and ios project implementation. In iOS project, aws has given provision to add identity provider directly. I followed the flow of ios project and made tweak to android congitio-auth project. The difference has been reported as well to aws-sdk-android-sample issues.
I'm trying to use the linkWithCredential function from Firebase Auth, but I'm not sure whether I'm using it and understand it correctly.
We have a login page with 3 buttons in our app (Login with Email, Login with Facebook and Login with Google). When user login with any one of the providers everything works great (With every provider with its sign-in method).
But when user wants to login again in our app with a different provider we use the Firebase.auth.logout function and properly logging him out from Firebase.
It appears that we must need that the user will still be logged-in in order to link his account with a different provider.
Since user is not logged-in anymore I cannot use the Firebase.currentUser since it is null.
Do I need to get the current user provider by email, sign-in silently and then with that credential link it to the new provider? Also, it isn't clear whether we need to allow multiple account with the same email address enabled on Firebase console.
Is it possible to do that (linkWithCredential) without that option enabled?
Any help with examples on Android or iOS will be really helpful.
I'm lost on this one. The problem is simple: what is the correct, recommended way in Android of logging in a Google user, as a page that they own (e.g. they first login and they are presented with what page they wish to authenticate as, to the app)?
The web solution is straightforward - Google's /oauth endpoint automatically redirects to a delegation page into which you choose your main account or the page you wish to continue as. The next page will have a pageId=... extra argument in the URL. As such, your authorization is linked to that specific page, not to the main account.
With Android, I'm completely lost. Every possible official guide out there is either deprecated, un-recommended, or just simply, blantly ignores this simple use-case and only works with getting an OAuth token for the main account, without even a word given to help for the case of users that own pages which can be used as their own identity under the user's account.
What I'm doing now (at the high level), using Google Play Services:
Start an activity intent via AccountPicker.newChooseAccountIntent
User selects an account on device.
Calling GoogleAuthUtil.getToken to get an OAuth token - this triggers the basic OAuth flow which asks the user to authorize the app - NO ACCOUNT SELECTION at this step, like the web flow does!
What I looked at:
Google HTTP Api Client - this one recommends to use Android's AccountManager and never use a "custom" solution to save any refresh tokens, etc. Completely useless for the use-case.
Google Sign-In - this one seems to require a server end-point (wtf?). I tried using it and adding in the OAuth scopes I'm interested in, it didn't even work. I'm not interested in the user's email, and this API seems to be oriented for signing users up rather than authenticating as a Google one.
Other apps I looked at seem to just open a WebView and force the user to login in that, which triggers the normal web flow, with account/page selection after login. I really don't like this since it requires a separate login.
Is there an official stand on this issue and I'm not seeing it?
I'm a bit confused about how facebook.logout(context) works.
Because even after calling log out, I am able to get access to information that requires an auth_token. So how is that even possible? I came across this topic, which let me a bit confused: https://stackoverflow.com/a/6597688/487940
After reading that answer, this is my question: So if the user grants access to [my] application, he will always be authenticated if he is logged into the [official] facebook application? Even if I try to call facebook.logout(context) in [my] application, he will be logged in and my application will be able to make calls to Facebook API?'
Sorry, about I'm not able to understand this behavior.
UPDATE: After reading Torid's reponse, I am confused about facebook.logout() function. What is the purpose of this function if it does not log the user out? Because, I don't see the purpose of calling this purpose anymore. It doesn't log the user out.
There are two independent things going on here: 1) whether your user has authenticated your app (with permissions) to Facebook and 2) whether your user is logged in to Facebook.
Authentication is required the first time your user uses your app and lasts until the user explicitly de-authenticates (e.g. through the Facebook web Account Settings -> Apps -> App Settings).
Log in may be required each time your user starts your app. But if you use the default SDK authorize(), that tries to do a Single Sign On (SSO), where if the Facebook app is logged in, your app is automatically logged in and uses the existing access token.
If you are using SSO, when you do a logout, that has no effect, as a real logout would have to log out the Facebook app - which the user might not like!
You can get around this behavior by doing an authorize of the form
authorize(this, PERMISSIONS, FORCE_DIALOG_AUTH, new LoginDialogListener());
which avoids SSO and forces a dialog login. Of course, that then forces your user to login each time you start your app - unless you save the login details / access token under the
covers (which is what the SDK does - check the source).
Hello I am using the facebook sdk for android on my android phone and using single sign on. It works fine when I logged into the facebook application, my application also signed in.
For logout I encountered a confusion.
The way I implemented was restore the access token and expired date from the user preferences of the application and check the validity of the session. If expired the application calls the facebook.authorized function and once authorized the access token and expired date will update again.
There are few things I find a bit confusion when dealing with the logout.
1) When I logged out from facebook application, my application still can get through and request the user details. Although, my saved access token on my application has no relationship with the facebook application, I thought it will at least giving me an error when requesting the data. But it hasn't given me the error.
Does it suppose to be actting like that. Signing out from facebook apps will not affect the access token I have stored on my application.
2) When I logged out from my application and not the facebook application, the facebook application won't automatically logout.
The Facebook access token and your app access token are separate and distinct, so it is entirely possible that one can be valid and allow access while the other is not valid and will require re-authorisation.
If the Facebook app is logged in but your app is not, then the Facebook SDK will use the existing Facebook app login to obtain a new access token for your app without authenticating, but this is still not linked to the Facebook app login token in any way.
If the Facebook app is not installed, or not logged in, then the Facebook SDK will take you to the Facebook website to do the initial authentication, but this does not log the Facebook app in because there is no connection between your access token and the Facebook access token.
So, in summary - your understanding is correct. There's no interaction between the two apps except for when your app tries to authenticate a user, then the Facebook app will act as a proxy, allowing you to gain access without authenticating so long as Facebook is logged in. After that, there is no further interaction and what you've observed is expected and intended behaviour.
I have the same problem. I'm thinking about creating a "isLogged" var and store it so that when someone logout and restart the app it will not even verify if the user is logged bypassing facebook's session verify.