I'm building an ios app which uses Django as server. Users login my server use their facebook account. ios app get facebook id and access token first, then I want to send facebook id and access token to my server to validate it. If the facebook id and access token is correct, server will create a user.
My question is :
how to validate facebook id and access token?
e.g. a user whose facebook id is 123 get an accessToken: abc in app, then the app send the info to my server, how can server validate that the accessToken abc is assigned for 123, not for other facebook id?
To identify an access_token, make a call to the https://graph.facebook.com/me endpoint with it. Then use the retrieved data to validate the user's id.
Related
I am trying to access to an API that uses OAuth2 authentication with the Refresh Token grant.
So, to request this API, I need a Client Id, a Client Secret and a Refresh Token.
Using https://console.cloud.google.com/apis/credentials, I created a new OAuth 2.0 Client ID, which gives me a Client Id and a Client Secret.
But I struggle generating a Refresh Token.
By looking at this article, it looks like I need to execute the following POST query :
curl -X POST -d "code=[CODE]&client_id=[CLIENT_ID]&client_secret=[CLIENT_SECRET]&redirect_uri=[REDIRECT_URI]&grant_type=authorization_code" https://oauth2.googleapis.com/token
To retrieve the CODE parameter, I need to do another call to this URL : https://accounts.google.com/o/oauth2/v2/auth?scope=[SCOPE]&access_type=offline&include_granted_scopes=true&response_type=code&redirect_uri=[REDIRECT_URI]&client_id=[CLIENT_ID]
This call opens the Google login page.
However, I don't know how to log in with an OAuth 2.0 Client ID. I don't have an email linked to these credentials.
Am I following the correct steps to retrieve a Refresh Token in my use case, and if so, what am I missing here ?
I am trying to build a REST API that will login to Facebook using socialite with lumen, a micro-service of Laravel. I have set up my Facebook app and configured the client_id, secret and access url accordingly.
The work flow is:
Here is the work flow
1.get user details from socialite
2.check the user existence with email ,if its exists execute auth::login, otherwise create a new record in users table and redirect to profile.
The program now redirects me to Facebook, however once the user presses the login button, it returns the following error:
Client error: `POST https://graph.facebook.com/v3.3/oauth/access_token` resulted in a `400 Bad Request` response:
{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100,"error_subcode":*****,"f (truncated...)
I am confused as it has not been long since I generated the token and no user login/ permissions have changed, so the token should not be expired. Do I need to store the access token in a database in order to grant the user permission or is there some way to store it in a user's browser session?(I already have a database configured on forge for user name and email)
I'm trying to understand the basic organizations and login flow between social logins on a mobile app and how that app requests resources from a backend flask api.
If the user logins into the app through Facebook, how does the backend api provide resources based on that login? Because it seems the backend doesn't know the user has logged in with Facebook.
Does facebook need to send a token to the app that the backend api then validates with facebook?
I suggest you to first read about single sign-on mechanisms:
https://en.wikipedia.org/wiki/Single_sign-on
Then you can read about OAuth2 which is used by Facebook for SSO from here
https://oauth.net/2/
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
Simply you are correct, when user signs-in on Facebook, the backend will get token from Facebook that is used for authentication/ authorization of that user.
This is happening when a Facebook/Google log in is clicked on an XYZ website.
XYZ website redirects to Facebook login page together with an XYZclientID(XYZ should be already registered under Facebook as a developer)
Facebook identifies that XYZ(using XYZclientID) wants to authenticate ABC person
ABC person log in to facebook.
Facebook issues an authorisation code(for ABC+XYX combination) and redirects back to XYZ website.
XYZ uses this authorisation code + XYZclientID + XYZclientSecret to get a bearer token
Facebook validates the secret and issues a bearer token(linked to ABC person)
XYZ uses this bearer token to retrieve details of ABC person. (It cannot be used to retrieve data of DEG person)
Facebook give the email & other personal details of ABC to XYZ and XYZ shows that ABC is logged in.
More elaborated here : https://www.scienceabc.com/innovation/oauth-how-does-login-with-facebook-google-work.html
I would like to get basic user information from Facebook after the user has logged in.
I've looked at the documentation in How to: Work with authentication and under the "How to: Retrieve authenticated user information" section, it shows how to do it from the .NET backend code by using an HttpClient to make the call with the AccessToken:
var fbRequestUrl = "https://graph.facebook.com/me/feed?access_token="
+ credentials.AccessToken;
Since the mobile client has the accessToken that we get from MobileServices, can the client make the call directly to a Facebook endpoint, or does the client SDK provide us with any built-in functionality?
I've been following the Xamarin.Forms Sport project and the way they get the user information from Google is by hard-coding the Google endpoint and making a call to get the user info.
Note: Xamarin.Forms Sport uses Mobile Services, not Mobile App, so not sure if that makes any difference.
It sounds like you're doing the server-directed login: where you are making a call to your backend to do the login dance with Facebook. In this, your client application is making a GET call to .auth/login/facebook, which opens up a browser or the Web Authentication Broker where you enter your credentials. The end result is you will receive a Zumo access token (different from Facebook access token).
You cannot use the Zumo access token to access Facebook APIs by itself. In the "How To:" you linked, we show you how to use GetAppServiceIdentityAsync from the backend to get the Facebook access token. This is possible because you have stored your Facebook client ID via portal, which is available to the backend.
The advantage of doing auth like this was that you don't have to deploy your Facebook Client Id with your mobile apps. If you wanted to access the Facebook APIs from the client, though, you'll need to get the Facebook token to the client.
Few ways I can suggest:
Call .auth/me from your client. The response will give you a JSON object you can parse that should include the FB token associated with your Zumo token.
Write a custom API with [Authorize] attribute set that will perform GetAppServiceIdentityAsync and respond with the value of the facebook access token. You can then parse the response from your client. This is basically what .auth/me does, but you can write it to give back only your FB access token.
Use the Facebook .NET SDK http://facebooksdk.net/ to do client-directed login. You will get a Facebook token on your client, and then you can use our LoginAsync(Facebook, access_token) method to get a Zumo token so that your client can access both Facebook and your Mobile App backend. The disadvantage, as I mentioned before, is that you'll have to deploy your FB Client ID with your app.
My application in JavaScript identified users by facebook id. Send request to server with ID and access Token, how server (Java EE) can check is this client use right user token ?