I wonder what is the right technique to streamline the login to my site via Facebook.
Currently, I have a web site integrated with Facebook Login button. Right now, it's an independent web site, and not a "Facebook app" (running in the canvas). While this is not my decision, this could change in long term if matters.
The way the authentication work: the "fb-login-button" is redirected to my application URL using onlogin() event; the server side uses the cookie to retrieve the "access token" and perform further Graph API work. The business logic resides on the server side.
The current business requirement is the following:
Suppose someone posts a link to my site, somewhere in Facebook, for example in our site community page:
http://www.mysitedomain.com/offer1
A Facebook logged-in user clicking on the link - should get to the target page, after his Facebook identify got verified, and the result should be personalized for that user.
If a Facebook user already has an active session with my site - trivial.
Assuming a user had approved my site (app) in the past, but has no active session - here I am looking for the best practice to do the login.
Also, I would appreciate a hint how to handle the app authorization (i.e. showing the Facebook authorization dialog) in a most efficient way.
Thanks for any hint.
Check out FB Login Architecture and FB.getLoginStatus. Based on FB documentation, If you use javascript sdk, it only triggers a Popup on the same page and once authenticated it will go back to the same page. So once the login status is confirmed then you can get users information from graph api and update via AJAX on your page. You can also checkout this server side login. Hope this helps.
Related
I know it's probably a common question but i couldn't find a solution for my specific case. We have created a Facebook App on our Business Facebook account and the client has given us page moderator permission on his page. Using this we have been able to generate a Never expiring page token and download the posts from the clients page. We would like to do the same for the clients Instagram posts.
After reading the GraphAPI docs i have concluded that we need "instagram_basic" permissions from the client but when i choose page in the Graph API Explorer and try adding "instagram_basic" permission the whole API Explorer disappears.
We do not have the Instagram Business account but the client has. His posts are all public and we need only his posts. I'm confused by the docs what tokens can we use. Page token seemed appropriate for Facebook but not for Instagram. This is all downloaded server side and mashed together with the clients other blog posts and similar feeds. There is no App involved so no Facebook, IG login.
I have created an app that just wants Users to subscribe for User_events and manage_pages WebHooks subscriptions. As a developer I am able to test the WebHooks at my callback url where I am handling all my graph api calls and retrieving additional information using restfb.
I am confused on having a redirect uri, when I want users to authorize the app. Basically my understanding so far is that I need to make my app public and submit for review in order for others to see. Is redirect uri mandatory for my app? my app wont need users to visit my website or login to any of my callback urls. Only information I need when the user subscribe(or authorize) my app is their uid and pages they are giving me the permission to.
Please note I started reading about facebook webhooks and app development very recently (a week). Any suggestions would be great help.
I am implementing "login with facebook" feature using php sdk, i am able to grab user profile details. But after that user remains logged in. Suppose user is accessing my site and after using "login with facebook" features he leaves immediately, then next person sitting there can use(misuse) previous persons account.
1)How can i automatically logout user after fetching what i needed (I dont want to show user "facebook logout" button).
2) Is there any way i can only logout user from my app and not facebook logout ? (i mean if user is already using facebook in another tab then it should only logout users facebook session from my app.)
Assuming all the usual security measures are in place (session timeouts apply to FB logins, doesn't leak FB data across distinct PHP sessions, logging out of your site clears FB session data or moves to a login/front page with no FB access), websites with Facebook integration generally don't bother securing their FB integration on a per-request basis. It's the user's own fault if they leave a browser window open and logged into your website, there's not a lot you can or really should do about that kind of mistake.
All that being said, you can call getLogoutUrl and then redirect the user to that URL to log them user out of the current session, OR you can use the JavaScript SDK's FB.logout(). Both options are mentioned here.
I'm integrating Facebook into my application. A user in my app can either be authenticated via Facebook, or be authenticated by their account (email address + password) with the app. I have a page in my app where I pull Facebook friends list using FB Javascript sdk. I log into the app using Facebook authentication then navigate to the page and can see my friends list. I can then logout of app using FB.logout then login to the app using a different user account (email + password) then navigate to the page and still see my friends list. I've logged into the app using a non-facebook authenticated login. It's not a caching issue as I have no caching set up in my dev environment. I'm new to Facebook. Any ideas on why the friends page is still retrieving friends list? Thank you!
I doubt the browser is caching the friend list, unless your loading the friends list after the page is loaded via ajax. But even then it would be rare to see such a thing.
I've never used the js sdk. But i know with the PHP one it automatically stores the fb token in the session. However ive just had a thought, if your using the JS SDK, that probably means that your not using tokens like the PHP sdk does. I would guess that its because facebook is detecting the user as logged in ?
Try logging out of facebook after you logout of your own site, then login with a different account. If that works, then you need to google around and get the code for logging them out of facebook. I believe the old trick was to just header redirect them to the facebook logout url, but there may be a nicer way of doing this.
Having said that, this would log them out of facebook, so you might annoy some people. How often can you see people logging out to log in with a different account?
I have a website which users can sign up to using Facebook Connect (with the new OAuth 2.0 stuff). Now when a user logs out of Facebook they remain logged-in on my site.
I'm not using the JavaScript SDK as I don't like the "magic behind the curtains". So what should I do when a user logs out of Facebook? Should I care at all? I get the feeling I should try to catch this somehow and log them out of my site as well.
I'm using Django with a custom authentication backend for this.
Don't do anything. You are using facebook as means of authentication. The fact that the user logged out of facebook means nothing for that matter - He's stil the same user.
Do the users think of your site as a part of facebook? I guess not (assuming its not a facebook app, just a login via facebook). Then it would be surprising and counterintuitive from the user's perspective to find he's also logged out of your site when he only logged out of facebook.