My application in JavaScript identified users by facebook id. Send request to server with ID and access Token, how server (Java EE) can check is this client use right user token ?
Related
I'm using django-oauth-toolkit with djangorestframework where our partner user will register their application and get application credentials (client id and client secret) which then used to get access token that can be used further to get our server resources. Upto now I'm able to convert those form based application registration process and other apis through rest. But while I hit for access_token only access token with expire are coming as response. Refresh token also supposed to come along the access token but it's not. What I'm missing here...
Below is the sample api response for access_token
And the oauth2 settings
FYI: I'm using Client type as "Confidential" and Authorization grant type as "Client Credentials"
Findings: This may be helpful for others
There is no need for refresh token for grant type client credentials.
Further descriptions RFC doc ; grant type client credentials
I would like to get basic user information from Facebook after the user has logged in.
I've looked at the documentation in How to: Work with authentication and under the "How to: Retrieve authenticated user information" section, it shows how to do it from the .NET backend code by using an HttpClient to make the call with the AccessToken:
var fbRequestUrl = "https://graph.facebook.com/me/feed?access_token="
+ credentials.AccessToken;
Since the mobile client has the accessToken that we get from MobileServices, can the client make the call directly to a Facebook endpoint, or does the client SDK provide us with any built-in functionality?
I've been following the Xamarin.Forms Sport project and the way they get the user information from Google is by hard-coding the Google endpoint and making a call to get the user info.
Note: Xamarin.Forms Sport uses Mobile Services, not Mobile App, so not sure if that makes any difference.
It sounds like you're doing the server-directed login: where you are making a call to your backend to do the login dance with Facebook. In this, your client application is making a GET call to .auth/login/facebook, which opens up a browser or the Web Authentication Broker where you enter your credentials. The end result is you will receive a Zumo access token (different from Facebook access token).
You cannot use the Zumo access token to access Facebook APIs by itself. In the "How To:" you linked, we show you how to use GetAppServiceIdentityAsync from the backend to get the Facebook access token. This is possible because you have stored your Facebook client ID via portal, which is available to the backend.
The advantage of doing auth like this was that you don't have to deploy your Facebook Client Id with your mobile apps. If you wanted to access the Facebook APIs from the client, though, you'll need to get the Facebook token to the client.
Few ways I can suggest:
Call .auth/me from your client. The response will give you a JSON object you can parse that should include the FB token associated with your Zumo token.
Write a custom API with [Authorize] attribute set that will perform GetAppServiceIdentityAsync and respond with the value of the facebook access token. You can then parse the response from your client. This is basically what .auth/me does, but you can write it to give back only your FB access token.
Use the Facebook .NET SDK http://facebooksdk.net/ to do client-directed login. You will get a Facebook token on your client, and then you can use our LoginAsync(Facebook, access_token) method to get a Zumo token so that your client can access both Facebook and your Mobile App backend. The disadvantage, as I mentioned before, is that you'll have to deploy your FB Client ID with your app.
Could some one show me example or explain how to use Facebook client token in a native mobile client to make Graph API requests?
From https://developers.facebook.com/docs/places/android:
The Places Graph SDK automatically selects the access token when a new request is created. If a user access token is available, it will be used; otherwise, the client token is used.
The following code example demonstrates how to set the Client Token.
// Get your client token from the developer portal.
String CLIENT_TOKEN = "{your_client_token}";
FacebookSdk.setClientToken(CLIENT_TOKEN);
// At this point, requests on PlaceManager can be invoked.
// Users do not have to log in Facebook.
I am using Django-oauth-toolkit for social authentication. How to check if access token is expired so that I can send the request for a new access token by sending refresh token.
I'm building an ios app which uses Django as server. Users login my server use their facebook account. ios app get facebook id and access token first, then I want to send facebook id and access token to my server to validate it. If the facebook id and access token is correct, server will create a user.
My question is :
how to validate facebook id and access token?
e.g. a user whose facebook id is 123 get an accessToken: abc in app, then the app send the info to my server, how can server validate that the accessToken abc is assigned for 123, not for other facebook id?
To identify an access_token, make a call to the https://graph.facebook.com/me endpoint with it. Then use the retrieved data to validate the user's id.