I am using FB SSO for an Android App and I would like to use the Facebook ID to authenticate my users when they upload data to my server. I imagine I should send the OAuth token when making the call to the server. Any examples out there that could help me get started?
Thanks for any pointers.
I have faced the same problem a while ago.
In the end, I did it using the following way:
I get the token via Facebook Android SDK and pass it to my server with the users email address and facebook id. Server tries to get users email address using the token. If the email addresses match, the user has authenticated.
Can you please clarify further, you want to authenticate user on your server via Facebook ID? The access token received via SSO will allow you to call graph apis, FQL query etc. which may require special permissions depending upon what you want to do.
More on Android SDK: https://developers.facebook.com/docs/guides/mobile/#android
More on Permissiosn: https://developers.facebook.com/docs/reference/api/permissions/
Related
I am building an Android App that requires users to log-in by their Facebook (so we can get their profile picture and albums). It works great by using the Android Facebook API. After I get the access token from the API, I can get the information that I want and also post feeds/photos by the App.
However, I now need to build the remote function for this App as well, which means the App should talk to our server for managing his own information and fetch other information.
I plan to manage users in our server by also the Facebook API. Specifically, I am using .net + Facebook authentication:
.net Facebook authentication
It works ok. Basically, when people(or my App) visit the url on our server, a response from Facebook will ask user to log-in and then my server can get user's identity.
My problem is, in this case, the users seem to handle the log-in "twice" (one for Android Facebook API and one for remote server Facebook API). Is there any way that I can just do it once? For example, once I get the "access token" by the Android Facebook API, can I pass that "access token" to my remote server (maybe via the post header?), and then my server will be able to talk to Facebook via the same log-in identify. (I prefer using the Android SDK because it allows users to skip entering the password if the user has the Facebook app installed)
I am wondering if anyone can give me some suggestions to achieve this function. I notice there is something called "JWT Bearer Token" seems fit my need but I am still looking for tutorials of using this with Facebook API.
I have an andorid app and i am trying to implement linkedIn login in it.
LinkedIn SDK has been successfully integrated and i am getting user information as well along with the email address.
Here is how my application works for google login :
1) get access token on mobile
2) send email address with access token to server
3) fetch details of users with access token i received via webapi of google.
4) if the response email matches with the email received from mobile device then check for account exists or not of that email address . If not create account and login other wise login.
Problem with linkedIn :
The access token i have received belongs to mobile sdk and i cannot use the same token to make REST API request. (as per documentation)
Mobile vs. server-side access tokens
It is important to note that access tokens that are acquired via the
Mobile SDK are only useable with the Mobile SDK, and cannot be used to
make server-side REST API calls.
Similarly, access tokens that you already have stored from your users
that authenticated using a server-side REST API call will not work
with the Mobile SDK.
So how to verify details in step 3) i mentioned above on my webserver ?
Is It a disaster ?
I am sure there has to be a way to do what i am trying to do, as there are many applications which let their users login through linkedin on their mobile apps.
Because if its not possible then anyone can easily change the email address the mobile app is sending to webserver after receiving from linkedin and i can login with any email address i want by doing that.
Like you said, you can't do it.
Instead you have to use a different approach, get the required info on the device, returned by LinkedIn and send it to your server. Use HTTPs connections to avoid MITM attacks.
If you app is downloaded from official information shouldn't be modified on device.
ANOTHER SECURITY MECHANISMS:
If you want more security, you could for example encrypt data on server, send HASH to mobile, use your LinkedIn token to consult information and with another algorithm compare that data received is the same.
But I think that this a too expensive mechanism that should be resolved only using HTTPS connections and not downloading the APK from non official stores.
The docs state clearly that you can't use the AccessToken obtained from the Android SDK to make your own REST API calls.
However there's a way to make REST API calls with the mobile SDK, check the Making
Authenticated REST API calls
from here: https://developer.linkedin.com/docs/android-sdk
If you want to retrieve the user profile info, you'll have to do it using the mobile SDK.
I'm making an Android app that authenticates users via the Facebook SDK. However I also need to authenticate to a remote server in order to pull in new data for this user.
What's the best way to do this?
Should I send the Facebook token to the remote server, then on the server use this to verify it's a valid token for this user and thus confirm the user's identity?
Should I do the previous, but generate and send back my own token for the user to use in the future?
If I later add Google authentication would something like this also work?
Thanks!
IMO, the best way would be
Authenticate user to Facebook from Android application
Get the FB auth token to the android app
Forward the authentication token & facebook UID from Android to web server
On web server, make Facebook API call with the submitted token, to verify the user
I'm developing a webapp+android app that has its own registration flow - simple authentication using email and password.
I easily integrated the facebook login from the website, following the second scheme in this page.
Now, I need to 1-click authenticate the Android application with facebook. The main point is that, after the Android app is authenticated, i need to send from my server some specific cookies that are needed for permissions checks when the user wants to do some operations.
The problem is that I cannot authenticate through the facebook token: from what i see, the token would work even if it was taken from another application, so I cant send private data trusting only the fb token (even if it was sent by SSL), since it could be another app pretending it's the user.
Is there any registration flow similar to the one above for authenticating android apps?
Or there is any advice to overcome this issue?
Ok, facebook has fixed this by deprecating the offline_token and providing a longer access token from the client. This Token can be validated server side against my app id and app secret with this new endpoint:
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
so I can be sure about the user identity.
I'm developing an Android app as well as a website (that does have communication with the Android client as well). I want to use FB login, but the problem I see is this:
Client, Use FB login and then gets an access_token.
How does Client and Web Server communicate just using this access_code since the Web Server needs to know which account the Client is referring to. I also want to implement FB login on the web site as well.
One method I was thinking was:
Client Login:
1) Use FB login and get access_token.
2) Use access_token to get some User info.
3) Give access_token and User info to web server.
4) Web server also performs the same FB operation with the access_token and retrieves the User info.
5) Validate the User info matches and determine the user account based on that.
6) Establish another access_token between Client and Web Server for this link.
Does this even make it any more valid or perhaps just doing the login and retrieving the user email address as the actual account and tell the Web Server this is the account to use.
Or has someone done this in another way?
For the communication between your client/server you should use your own client Id.
Don't relay on the access_token facebook gives you because it changed in several scenarios.
Getting the email is also not a full solution because users can decide not to give you their mail.
In general you need to implement Facebook Connect on both sides.
1.Connect to facebook
2.Get permissions from the user (read about permissions here: http://developers.facebook.com/docs/reference/api/permissions/)
3.Register it as your user and give him an id (you can use facebook uid if you want).
When the user returns to your site/app you need to login him again, get his uid and query your server for the user details.
One thing about the access_token, you need it to query facebook's api. you can get it from facebook every time a user login to your site/mobile using facebook or you can request the user for offline_access permission and then you'll have the same access_token until the user changes their password at facebook etc. (read more about it on the docs).
This method allows you to query facebook api's although the user isn't currently logged in to your site.