How can I modify this to get permissions for offline_access and others
"https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id="+appId+"&client_secret=" + appSecret;
I don't think you can. The url you are using looks like the one used to get an access token for adminstrative actions on behalf of an app. I.e. Graph api calls requiring an app access token such as access to app Insights.
Offline access, as far as I know, applies only to performing actions on behalf of a user e.g. posting to their wall.
Maybe you are looking for something more like this?
https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=offline_access,email,read_stream,etc
Assuming you have already know about the authentication guide, but just in case:
http://developers.facebook.com/docs/authentication/
Related
There are a lot of various topics on that already but I want to be very explicit here:
I'm aware that Cognito API flows (also used by Amplify) return tokens with aws.cognito.signin.user.admin scope. And I'm also aware that I can't use those to call any of the OIDC endpoints (like /userinfo). But this is leaving me with quite a problem: how do you solve a case when user performs a global logout? Without calling endpoints like /userinfo, how can I verify that incoming access_token is indeed revoked?
Especially when one's using Amplify with it's client storing tokens approach, those can be easily stolen, and with an hour of expiry on access_token, someone can cause a lot of mayhem... I'm struggling with this very much, tried consulting AWS directly about this, but they don't seem to have any solution in mind, so maybe the community can help... I need my app to be as secure as possible. I'd prefer to use authorization_code flow with PKCE but doing it with custom UI is a journey on its own...
Thanks everyone in advance
I want to implement a blog API - for fun and learning - which allows a user to manage and write/view their own blog posts. So far I have an API with paths like
/ - GET all posts,
/blog/{id} - GET a specific post or PUT to update a post
/blog/ - POST for a new blog
Using a cognito user pool, a user can sign up, and login and the API Gateway uses an authorizer to allow or deny access (I'm mucking about with Blazor at the same time - there isn't really an interface yet just a bit of cobbled together C# that uses the identity provide API}.
However, any user can see all posts. I really want something like this:
/{user}/ - GET all posts by user
/{user}/blog/{id} - GET or PUT specific blog post
and so on.
Behind the API gateway are four really simply lambda functions. So far, with the user pool authorizer I can see the Authorization header but nothing else (the request context and context have no Identity elements that are not null).
I was wondering whether I could use Identity Pool to do the specific user permissions using IAM Roles, but I cant think of what the roles might look like, or whether this seems possible. I know there are parameters you can embed in roles - you do that for S3 Roles - why not API paths?
Does this sound plausible or would I need to go down the Lambda function to do authorization? Anyone any examples? I googled and look through stack overflow, but couldn't see anything specific around this.
Another problem I guess would be getting a nice ID substitution for user here - I collect email and nickname so far - need a nice username rather than a cognito user id, which looks like they're wouldn't play well with a URL?
Thanks.
The answer to my query appears to be in this you tube video, put up by the AWS team late last night (uk time, anyway.) So far, using C#, I can authenticate myself against the user pool, and get AWS Credentials, but when I attempt to access my API I get "message": "unauthorized", and that's it!
Anyway, onwards and upwards.
You tube video about fine grained access control using cognito identity pools.
I am using Django with a Tastypie library, and the Django-OAuth-Toolkit, and a Tastypie authentication for the Django-OAuth-Toolkit.
Disclaimer: There is a chance I am totally wrong about all of this. If so, please correct me and guide me towards the less ignorant.
Main Question: How do I create users securely?
My Understanding:
In order to get or post, the client needs a token.
In order to get a token, they need to login.
In order to login they need a user account.
In order to make an account they need token.
In order to make an account they need to login?
I am left in a struggle trying to figure this out. Do I make it when the client tries to make an account it does not need OAuth2? Or is there a way to use OAuth2 without a login that only lets the client create accounts?
Any help is much appreciated!
in order to make an account you don't need a token, Signup using the normal flow, and on login request authenticate the user and give the token for further communication.
The answer is No, OAuth2 is usually meant for authorisation which in turn needs authentication.
So for creating account you cannot use Oauth, you have to use normal flow , setup account and then you can use OAuth to gain access token.
My app got white-listed for using the Ads API.
I was wondering in regarding to the authentication flow.
Say, that I need to retrieve and execute actions via the API on daily tasks ( with no user interaction) , I find the authentication process quite cumbersome.
Is there a way to work with my app access token instead of a user access token?
I want to be able to approve my app only once for each user and then to be able to work with no user interaction.
Can I achieve this?
App access token is not relevant for this case.
I had to work with the user access token.
I followed this doc: https://developers.facebook.com/docs/reference/ads-api/
Eventually , one should use some client side code in order to get a user permissions and then make another request for getting the user token.
So you'll have to call
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=ads_management,offline_access&response_type=code
Get the authentication code and make another call:
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=AUTHORIZATION_CODE
Then you'll get an access token which is valid only for two months, in opposed to what Facebook docs says in here:
https://developers.facebook.com/roadmap/offline-access-removal/
"Ads APIs are special cased to allow collection of statistics offline. PMD partners should use server-side OAuth flow in order to receive a non-expiring token rather than a token that has longer expiration time."
Too bad that the access token is not really valid forever...
According to "Exception 4" in this document , if you have Ads API access you should be able to get a non-expiring token if you use the correct workflow. Following the guidelines outlined here, if you use the server side OAuth flow, to make the following request you should get a non-expiring token:
GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}&
client_secret={app-secret}&
fb_exchange_token={short-lived-token}
thx for the feedback regarding the Access token process being cumbersome. Because this is a one to many solution - a single App ID can manage multiple ad accounts, on behalf of multiple people - we need to make calls on behalf of people.
You should be able to get a persistent access token for Ads API. If you are not getting it, please provide exact steps you are following so we can see if there is a bug or you might be missing a step.
Thx.
On this page:
http://developers.facebook.com/docs/opengraph/using-app-tokens/
It describes how to get the app access token, yet the token it returns is different than the one in the open Graph "Get Code" example. The latter is the only one that works. How can I get the second access token using the API? When I try to use the first example, I basically get something back that looks like "application ID|secret key" which is different than the real access token.
as documentation states, you will get
access_token=YOUR_APP_ACCESS_TOKEN
string back from the API call. Even though it LOOKS like "application ID|secret key HASH" - it is a valid access token you can use to publish to user's wall. You can verify it's a proper access token using Debug toll from FB: https://developers.facebook.com/tools/debug - just paste the token there.
The reason it might not work for you is because you are trying to publish something to the user's wall who did not authorize your app. Look here: https://developers.facebook.com/docs/reference/javascript/ - for example of how to use your app ID to make user authorize the app. You need to request publish_stream permission for your app from user in order to be able to publish as the app to the user's wall.
And going back to the documentation:
Note that the app access token is for publishing purposes permitted by
the publish_actions and publish_stream permissions. You will be unable
to retrieve information about the status update post with the given ID
using the app access token. Instead, you should use a user access
token for such purposes.
hope that helps.