This page claims that you can access the Places Graph functionality without having a logged-in user:
You make your calls using a Client Token (from the client), and an App Access Token (from the server).
The documentation regarding Client Tokens says:
The client token is an identifier that you can embed into native mobile binaries or desktop apps to identify your app. The client token isn't meant to be a secret identifier because it's embedded in apps.
This sounds like exactly what I want--I am trying to build a website that allows users to search for Facebook places. I need to be able to build the list using an AJAX request from the client side.
I can't for the life of me find any documentation on using the Client Token to make such a request.
Please note that I cannot use an App Token because this will be deployed to a website, and Facebook specifically says not to use App Tokens in that context.
I've tried using the Client Token directly as the access_token, but then I get Invalid OAuth access token.
How can I use the Client Token to make a Places Graph API call directly to Facebook's API from the client's browser?
Note: I realize that I could send the request to my own server, then relay that request from my server to Facebook, but that is not an optimal solution for me.
In case anyone is still struggling with this like I was. You just need to use the appId and client token joined with a pipe. So "appId|clientToken".
Related
It is clear how to get a token from Google(or any other OAuth provider). But I do not understand where shoud I do it - server part or client part.
For example: I have a backend on Flask with unified API for Android, iOS and web(js/react) apps.
Where do I need to get a token? On the client (Android for example) part and send it to server or in my Flask app after request from client? Where should I get data from provider? How at all works interaction between client and server while using OAuth?
Would be pleased for some explanations or links on some guides
Your UIs will manage redirecting the user to authenticate - after which the UI is given an access token to call the API with.
The OAuth provider is the entry point for authentication and issues an access token afterwards.
The API uses the access token to identify the user and authorize access to resources.
A good way to understand OAuth is the HTTP messages - my blog post highlights these, and they are largely the same for SPAs and mobile.
There are also some code samples on my blog which you can run, in case useful.
Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?
Here is the scenario:
A client app gets an Microsoft access_token from some external service.
Client app will make a call to some secured web API and pass that access_token along with the request header
If the access_token passed by client is valid then API will provide response to the client.
Is there a way to validate that access_token on API side?
My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:
But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?
You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory
Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API
This library is also available, but I think OWIN is supposed to have replaced it in general.
Also check out this blog post, which has a pretty great deep dive into token validation.
Been reading and watching quite a bit, and asking a lot of questions regarding ReactJS and Django.
This particularly helped me to understand the the flow of data from Django REST Framework to ReactJS and from ReactJS to Django REST Framework.
Django Forms and Authentication with Front-end Framework (AngularJS/ReactJS)
However, the one thing I am trying to understand is authentication to the Django REST Framework. I understand from the documentation that it has built in authentication. Since this is sensitive data, I would obviously want it protected people retrieving it just by going to http://www.my_site.com/info/api.
I would need to setup ReactJS to be the only thing that can request data from the API whether that is through a key or username/password credentials. I am just curious how this is handled? Obviously I don't want that hard coded in ReactJS because it will compile with the rest of ReactJS.
Here's how I'd approach it: I'd use a JSON Web Token (JWT) for authentication and authorization.
You'd use your back-end to protect ALL API requests from invalid JWT's except for routes where a user won't have a token (ie, registration/log-in pages).
Here's how the flow of the application will go:
A new user registers to your app with standard credentials such as email and password.
Your back-end will create a new user, sign a new JWT token (usually with the user's ID). You'll probably use a third-party library to sign/verify tokens (I don't have experience in the Django community but I am sure a quick Google search will give you answers). Your back-end will send back this token. This is the only time the back-end will receive email, passwords or any other sensitive information on registration.
From this point on React will only use this token for authorization. React will save this token somewhere (ie, localStorage) and send this token along with the other parts of a request to the API routes you created with your back-end. You'll send this token in the authorization headers in the request.
Your back-end will validate this token using a third-party library. If it's invalid the request stops and an unauthorized error is returned. If it's valid the request continues.
This achieves the following:
Your API routes are protected against unauthenticated users
Each request to your API is verified for authorized users which protects anyone from requesting any part of your API.
You can further solidify this by only allowing requests for users to modify their own data. For example, protect Suzy's profile from being modified by people other than herself by only allowing her token with her ID to modify her account/data.
Important Note- Your backend will never save these tokens in storage. It will verify the token on each request. Read more about JSON Web Tokens (JWT) and how it works.
Django Rest Framework has built-in token authentication and a third party package for JWT Token Auth.
If you the standard token auth would work for you, then it could be pretty simple with drf-redux-auth. If you need JWT for some reason, as suggested by Keith above, you could easily fork the above...
I would like to get basic user information from Facebook after the user has logged in.
I've looked at the documentation in How to: Work with authentication and under the "How to: Retrieve authenticated user information" section, it shows how to do it from the .NET backend code by using an HttpClient to make the call with the AccessToken:
var fbRequestUrl = "https://graph.facebook.com/me/feed?access_token="
+ credentials.AccessToken;
Since the mobile client has the accessToken that we get from MobileServices, can the client make the call directly to a Facebook endpoint, or does the client SDK provide us with any built-in functionality?
I've been following the Xamarin.Forms Sport project and the way they get the user information from Google is by hard-coding the Google endpoint and making a call to get the user info.
Note: Xamarin.Forms Sport uses Mobile Services, not Mobile App, so not sure if that makes any difference.
It sounds like you're doing the server-directed login: where you are making a call to your backend to do the login dance with Facebook. In this, your client application is making a GET call to .auth/login/facebook, which opens up a browser or the Web Authentication Broker where you enter your credentials. The end result is you will receive a Zumo access token (different from Facebook access token).
You cannot use the Zumo access token to access Facebook APIs by itself. In the "How To:" you linked, we show you how to use GetAppServiceIdentityAsync from the backend to get the Facebook access token. This is possible because you have stored your Facebook client ID via portal, which is available to the backend.
The advantage of doing auth like this was that you don't have to deploy your Facebook Client Id with your mobile apps. If you wanted to access the Facebook APIs from the client, though, you'll need to get the Facebook token to the client.
Few ways I can suggest:
Call .auth/me from your client. The response will give you a JSON object you can parse that should include the FB token associated with your Zumo token.
Write a custom API with [Authorize] attribute set that will perform GetAppServiceIdentityAsync and respond with the value of the facebook access token. You can then parse the response from your client. This is basically what .auth/me does, but you can write it to give back only your FB access token.
Use the Facebook .NET SDK http://facebooksdk.net/ to do client-directed login. You will get a Facebook token on your client, and then you can use our LoginAsync(Facebook, access_token) method to get a Zumo token so that your client can access both Facebook and your Mobile App backend. The disadvantage, as I mentioned before, is that you'll have to deploy your FB Client ID with your app.
I am hoping to work on a REST API that would interface with a mobile client. I am think of implementing the following flow and hope you guys can set me off in the right direction:
User accesses the mobile app and then will signup with facebook (app)
Once the user successfully authenticates himself, the generated token is passed to the server (via an API endpoint)
The server will accept this token and will attempt to query the facebook server using this token and process the returned information
Is this possible? And am I heading in the right direction ?
Not only this is possible, but this is the approach which Facebook recommends. This is called "token debugging" in FB parlance.
The token will need to be checked and validated by your server, by calling the token debug Facebook api.
If you don't validate the token on the server, your app could be subject to various attacks, e.g. another developer could use a token generated on another app to gain entry.
The correct approach is:
testing that the user is the one to whom the token belongs to
that your app is the same for which the token was generated
that the token itself is valid.
You can manually inspect a token, in order to test your code with an online tool: https://developers.facebook.com/tools/debug/