I need to get the facebook friends email ids of a user providing his login email id and password. That is, if we enter the facebook login email id and password we need to get the friends from facebook. So far i was only able to get the examples which uses Api_Key and Api_Secret. Even the Graph api is using Access Token. Is there any way to access the friends using email id and password? Please help.
This is against Facebook's Terms of Service. Specifically policy I.2:
You must not include functionality that proxies, requests or collects
Facebook usernames or passwords.
Also, you would be required to use the Facebook API which does not provide access to friends email addresses.
You'll need to ask your users to authenticate using the Facebook API. You shouldn't be collecting email and passwords on behalf of users. However, if you ask for offline access, then when you do this, you can access the data any time.
Facebook uses oAuth, so you and your application will never see the password of the user that you are getting permission for. oAuth (used by Twitter and Google as well) requires a bit of a handshake to get authenticated, but once you do, you can get permission from the user to do whatever you want, as long as they accept.
Check out https://developers.facebook.com/docs/guides/web/#login for more on how Facebook does authentication.
Related
I have to implement a REST backend for mobile applications.
I will have to use Django REST Framework.
Among the features that I need to implement there will be the registration user and login.
Through the mobile application the user can create an account using ONLY the Facebook login.
Then, the application will take the information from Facebook using the token-facebook and it will send this data to my server.
I tried using python_social about Facebook authentication and user registration using the Facebook token.
At this point I have doubts:
think there could be two choices:
1:
The mobile application use the Facebook-login to retrieve user data and will send a request to my server to create a new user with the Facebook data user and passing the Facebook-token.
In this case, in the server side, it will not be integrated python_social and facebook-token is a simple profile field.
Doubts: how can you implement the next login (which password Is necessary to use?)
2:
The second possibility is to use python_social. In this way there are no problems for subsequent logins. The token Facebook will be used to retrieve the data (and validate the user) by calling: do_auth
But in this case, for each user, the server will have to make a request to Facebbok (which actually is possible to avoid: the mobile application has already recovered all the data)
What is the best case? What do you usually use for authentication backend rest with Facebook?
i didn't unerstand the first case, when you are using facebook login it does the authentication and we will register the user with the access token provided by facebook. When ever user log in we are not worried about the password, authentication is not done on our end. so when ever user tries to login it contacts facebook if everything goes good there, it will give you a token with that user can login.
Is it possible to register Facebook account without having email tied to that account? I am asking because in some responses (1 out of 10000) I don't get email (I have perms="email" in request to API)?
Anyone have experience with this problem? What response do you display to user in this case?
Actually it is possible, for the case user signed up via facebook mobile app on a phone, and registered using a phone number.
email permission isn't one that blocks user from logging in, once granted it can be removed manually by user and he can avoid granting it in the future interactions with your app/site.
At least Facebook's JavaScript SDK passing user identity even if user skip granting email permission.
It is not possible to register a facebook account without an email. If you have users connecting your application but you can't see their email address, they probably denied permission.
It's not possible to have a facebook account without email, but it's possible to have it with unconfirmed email, in which case it's not provided via API:
Facebook Email field return null (even if the “email” permission is set and accepted)
I'm writing a Django app and I want users to be able to supply their Twitter username and connect their Twitter account with their User in my app. (I'm not using Twitter to log them into my site; I just want them to connect their Twitter account with their account on my site, and give permissions for certain actions.)
Assuming I do that successfully, and I get back and store an access_token for the user, what's the best way to subsequently check that the access_token is still valid? i.e., if the user has later revokes access to my service on their Twitter account, I want to be able to check the access_token and, if it's invalid, delete it and prompt the user to re-authenticate.
The Flickr API has flickr.auth.checkToken and I guess I'm looking for the equivalent functionality with the Twitter API.
using python-twitter, you can verify if the credentials are ok using:
if api.VerifyCredentials() is not None:
I am building a app/API that allows user to login with Facebook, Twitter or Google. I am wondering what are the best practices in allowing those user to use the same account to login to the API.
A couple Ideas that I have had is pass the auth token/cookie in a header to the API for every request and use that to authenticate on the backend.
Run my own OAuth setup and make the user authenticate once with the back end to get my OAuth token and use those from then on.
I am doing the same thing and my solution is to match the email addresses that you get from these respective APIs.
For Facebook, you need special permission from the end user to get the email address registered there. You do this by adding &scope=email to the first oauth request.
A disadvantage is that you need to get this permission from the end user and they may decline. Another disadvantage is that users need to use the same email addresses for Google, Facebook and Twitter.
An advantage is that user records are merged automatically, so users can directly access all their data if they logged in the first time through Google, and the second time through Facebook.
Another approach would be to manually merge their data by making them log in to Google when they are already logged in through Facebook. Then you can conclude that they are the same user, even when they use different email addresses for both. But this is a more tedious approach, as you still need to merge the app's user data from both accounts.
Your first solution is exactly the way I do it. As all my rest services are stateless, the access token goes in the header and is parsed by spring security authentication filters on every request. I use a grails sever with the spring-security-oauth plugin. We also run a website which allows for using session cookies for browser based access.
I am writing an "Invite Users" feature for my website.
I wanted the user to enter his gmail credentials or facebook credentials, and I wanted to send emails to the friends he chooses from.
Although I found out that you cannot send privates messages to your friends on FB via the API.
How can I accomplish the same using google / gmail ?
You should use the Google Contacts API along with OAuth. Accepting the user's GMail ID and password on your own site is never a good idea. http://code.google.com/apis/contacts/