I am able to verify a facebook access token from users by querying this endpoint
https://graph.facebook.com/debug_token?input_token=&access_token=
This means that I have to either request an app access token every-time I need to verify a request or get a long lived token and remember to renew it when it expires. Can I do something like this instead?
https://graph.facebook.com/debug_token?input_token=token&app_id=appid|appsecret. I have tried this but it does not work. Any suggestion would be welcome.
It turns out there are two types of app access token. The one I was interested in was the long lived token which does not expire until the app secret is changed. It is generated by issuing a server call to facebook graph endpoint like this.
curl -X GET "https://graph.facebook.com/oauth/access_token?client_id=appid&client_secret=appsecret&grant_type=client_credentials".
The response will be in this format: appid|apptoken.
Using that unique combination, you can query any endpoint requiring auth like this.
https://graph.facebook.com/debug_token?input_token=usertoken&access_token=appid|apptoken
Related
So I've been trying to use Djoser JWT and I don't know how to login in it. As far as I know you create a request with your login credentials to this url /jwt/create/ and get the access and refresh token and maybe get the user object from /users/me/. This is where I got stuck, where do I go from here?
You correctly understood the first step of the process. Basically, you can now:
Add the access token in the header of your next requests.
This will transparently authenticate the user thanks to the Simple JWT plugin and you will be able to access him with the usual request.user in the views.
Refresh the access token each time you get a 401 response.
The access token is supposed to be short-living for security concerns and a 401 response from the server indicates that the one your are using is expired. So you have to get a new one by sending the refresh token to the token/refresh/ API and, then, make your request again.
You can read this article if you need more detailed explanations about this process or JWT.
I encounter a problem about to verify facebook user id and access token. In the app you need to register with facebook to get started. When an user get authenticated with facebook, we send the token and user_id to backend to insert into related table. But we have to know that the token belongs to the user. We saw a couple soution about it:
https://stackoverflow.com/a/8608017/1664109
And this
https://stackoverflow.com/a/20518868/1664109
So how to verify a token and user_id without send request to facebook ? Is there a way ?
based on Facebook's documentation:
as Facebook makes changes to what is stored in them and how they are
encoded.
I would say it's not possible to reliably "parse" a token.
Without sending a request to Facebook? No. But you can use the Access Token with a call to the /me endpoint. You will get the ID, and you can compare it to your stored one.
The Twitter OAuth 1.0a flow requires authenticated request token to be exchanged with access token at consumer or client side after user has authenticated.
The problem that I'm facing is that generating access token needs authenticated request token, request token secret and verifier but the response from the oauth/authentication api doesn't have request token secret. So how do I temporarily save request token secret from oauth/request_token api call so that I can use it in oauth/access_token api call.
I found some solutions from my explorations like Running a Cache server (Memcached, Redis) or using django session feature. But they all seem to be overkill for this task.
I hope to find a simpler solution.
I'm sure you long ago figured this out, but just for future goolers: I decided to a go a more low tech route and create an OAuth token class which includes fields for the fetched and access token. Basically I take the fetched token, store it, then recall it when accessing (as it's in a different view) and then save the access token. Once (if) that's successful than I delete the fetched token.
There's likely a more glamorous way to do this, but if you're clever with your naming convention you can easily keep them straight (i.e. add a CharField for provider and just save the fetched token as twitter_fetched, and the access token as just twitter).
This has the added benefit of allowing you to create an OAuth1 or OAuth1Session from the stored access token.
With the old Facebook access tokens (Oauth1) it was possible to get a user's Facebook ID and the token's expiration without passing anything to the server.
Is this possible with the new Oauth2 tokens? Is there any data you can get from the token itself?
I know you can pass at token to /me and get lots of info (assuming the token is still valid) but I am interested in if there is any way to do this exclusively on the client without a network connection and/or with expired tokens.
In short - No!
You need to hit the https://graph.facebook.com/me endpoint with the access token even to get the Facebook ID, you cannot do anything with the access token on the client.
I'm planning out adding Facebook integration to a web app I'm working on. For the most part, it's proceeding smoothly, but I am confused on the proper way to handle the OAuth token.
The sequence of events presented by Facebook here is:
Ask the user to authorize your application, which sends them to a Facebook window.
This will return an Authorization Code generated by Facebook
You then hit https://graph.facebook.com/oauth/access_token with your Authorization Code, which will give you a time-limited OAuth token.
Using the OAuth token, you can make requests to access the user's Facebook profile.
Facebook's documentation has the following to say about token expiration:
In addition to the access token (the access_token parameter), the response contains the number of seconds until the token expires (the expires parameter). Once the token expires, you will need to re-run the steps above to generate a new code and access_token, although if the user has already authorized your app, they will not be prompted to do so again. If your app needs an access token with an infinite expiry time (perhaps to take actions on the user's behalf after they are not using your app), you can request the offline_access permission.
When they say to re-run the steps above, what steps need to be re-run to get a new OAuth token? What data (Facebook UID, Authorization Code, OAuth token) does it make sense to save to my local database?
I would like to be able to have the user continue to interact with my site, and in response to certain user actions, I would like to be able to prompt to user if they want to post something to their Facebook wall.
The access token is time and session based and is unnecessary data to store and have no use after the user have closed the session.
The facebook uid is the only thing you need to identify the user.
Since the Facebook API sometimes is horrible slow you could store the username aswell.
But for identification, all you need is the uid.
The documentation that facebook provides has been updated since you asked this question. https://developers.facebook.com/docs/authentication/.