I made a website using Django.
The only way to log into it is the facebook login.
When I had to submit my app for review in the facebook developer console. They are asking me testing id and password. Since the only way to login is facebook, and it won't work till they test.
And they are asking how to open this website for testing. It's kind of a loop.
Is there another way out?
I don't want to use other ways of logging in (is in accordance with my idea)
I believe you can test your app with your own login credentials according to Facebook:
You do not need to submit your app if it will only be used in
Development Mode by you or someone with a role on your app. Any
account listed in the Roles tab in your App Dashboard, such as admins,
developers, and testers, can use all permissions but will only be able
to access their own data, that of test users, and test pages belonging
to them.
You can use any of these accounts to test your app and create a
screencast.
See this similar answer.
Related
I use google Ouath2.0 with passport.js in my Next.js/Node.js web-app. Registering and logging in works as expected. However, anyone with a google account is able to register, regardless of being in the test users list. The app is unpublished, and so only test users registered by me in the Oauth Consent screen should be able to register and login.
Does anyone know how to fix this? As far as I have understood it, login when not registered as a test user should simply fail. I have seen this asked elsewhere with no answers, and I am not able to contact google as that requires a paid support level.
I had a quick look at this and observed the same (incorrect) behavior; I too was unable to restrict authenticated users to the list of test users:
Created Apps Script Web app (for a quick win)
Associated a Cloud Platform project with it
Enabled Gmail API in the project and added one of its "restricted" scopes
Added one Google account to test users
I was able to login using the test user and any other Gmail account regardless of whether I included a Gmail restricted scope.
One thing I observed but am unable to explain is that I was not presented with the app's (project's) OAuth Consent Screen. Each time I logged in (incognito), I was prompted by the standard Google login screen only. I expected to be prompted by the OAuth Consent Screen before accessing the app. This likely explains why identities aren't being limited to the test users but I'm unsure why I'm not seeing the consent screen.
Even without Google paid support, you may file issues like this using Google's public issue tracker and these will be seen by Google Engineering.
I recommend you file under "Cloud Platform > Security & Identity" and let someone within Google triage:
https://issuetracker.google.com/issues/new?component=187167&template=1162765
Currently I am trying to get my app approved by Facebook.
My app allows users to connect their instagram account. I use data like instagram_profile_picture and followed_by_count to complete their profile with reliable data.
For that, I request the permission instagram_basic within the Facebook-login process. Obviously the process only works if a instagram account is connected to the Facebook account which they are logging in with.
Facebook rejected my app because they could not test the permission properly. But they say that my screencast shows a valid use case (where my FB account is connected to a instagram account). I have checked the test-user they have used to review my app and it is not connected to a instagram account. What makes requesting the permission pretty useless.
test-user
I thought that Facebook is smart enough to understand that, but I guess that's not the case.
Can anyone help me?
Facebooks test-user-system is a mess. But you have to try (I tried several times) creating an Instagram-account using the fb test user, you should then try to connect the instagram account in the instagram mobile app to the fb test user. This worked out for me.
I am able to logout and login but there is 1 particular scenario which I am not able to achieve.
Scenario:-
User logs in using federated social login (Google), using hosted UI directly.
Now the user clicks on logout it directs it to AWS Cognito logout URL
https://xxxxxxx.auth.us-east-2.amazoncognito.com/logout?
response_type=token&client_id=xxxxxxxxx&logout_uri=https://abc/logout.html
it logs out the user success and successfully redirects the user to logout page as mentioned in URL.
Now when the user tries to log in again by a different account, he is forced to use his previous google login only.
I want to have such functionality that user can log out and log in again if he wants then he can log in with the same account or with different depend on choice.
The important point to note is I can't use AWS-Amplify or any javascript framework, only plain javascript.
The reason you are always forced to log in with the same user seems to be that the /logout? endpoint only logs out the user on Cognito, but Cognito does not communicate to Google that it should log you out of your device. Thus, every time you sign back in and the Google Authentication screen is launched Google still remembers the device and sees that you're still logged in. As a result, the redirect URI is triggered without you ever being prompted to choose a new account.
I'm running into the same issues on a React Native project, but have yet to find any evidence that Cognito offers an endpoint to force it to also sign you out of the Identity provider (i.e. Google).
PS: Here's another stackoverflow discussion with more info: AWS Cognito - How to force select account when signing in with Google
One of the responses in that thread mentions calling Google's logout endpoint directly as part of the signout flow. It's definitely not pretty, but since you're using plain Javascript it might be a sufficient solution.
If you find a cleaner solution please make sure to share it, as I'd be interested to hear what you find :)
Well, I got it working but I don't think so its an issue but a kind of behaviour that every developer should know who is trying to integrate google login in the there application. Here are the few scenarios I am have checked and their respective behaviour.
My AWS Cognito Login URL
https://xxxxxxx.auth.us-east-2.amazoncognito.com/oauth2/authorize?
identity_provider=Google&redirect_uri=https://xxxxxx/login.html&response_type=TOKEN
&client_id=xxxxxxxxxxxxxxxxx&scope=phone%20email%20openid%20profile
My AWS Cognito Log out URL
https://xxxxxxxxx.auth.us-east-2.amazoncognito.com/logout?
client_id=xxxxxxxxxxxxxxxxxxxx
&logout_uri=https://xxxxxxxxxxxxx/logout.html
By using the above URL when I log out, I don't get logged out from chrome browser.
This behaviour is an issue for many people
So when your chrome browser has only 1 account logged in, at that time AWS Cognito google login won't redirect to a page where you can select the different user, because you have only single user through which it gets logged indirectly.
Found out how we can show multiple logins:- So if you want another user to log in then he needs to first sign in chrome browser, and when he clicks on google login from the website at that time he will be able to select user, as in chrome we have now 2 users logged in google, from where he can select which user want to use for access.
I won't be accepting this as an answer because it's not how everyone want this behaviour, will wait for few days if someone can suggest better way.
I think so, for now, we have to go with this.
I am working on a local application that needs to retrieve data from user's Facebook profile. As long as I can see, by default I can only get name, picture and age range, but I need many others information like education, location, likes and so on. I tried to submit approval for these items, but Facebook won't set my submission because I don't have a Privacy Policy URL added. I don't know what Privacy Policy URL to add because I'm working on localhost.
Please help me figure it out and excuse me if my question is wrong, it's the first time when I work with fb api. Also, if there is another way to retrieve this items, I would be more than happy to hear about it.
Have a look at
https://developers.facebook.com/docs/apps/review/login#do-you-need-review
It's saying that
in order to help you craft your Facebook Login experience, your app's developers will be able to see, and grant, any permission without requiring review by Facebook.
and
Also, if you're the developer of an app and are the only person using it, then your app doesn't need to go through review. Since you're the developer, all app capabilities should be available. You will still need to take your app out of developer mode, but you should be able to do that without going through review.
So, to be able to develop your app and request extended permissions, you don't need to pass your app to review, as long as you test with an app admin/developer/tester.
I'm soon to write a web based Twitter client which I plan to allow users to login with OAuth. My question is; can, once a user has logged in once already, my app login later and 'background' process their feed for them? I.E. does the user have to 'be there'?
Yes, when they have autorized the login you can keep them loggedin. Just like applications like tweetdeck do. Check out http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-i-overview/ for a walkthrough.