It seems people are usually protective with the AppId, but it can be viewed by doing view-source on a page, no?
What are the security dangers if the appId gets into the wrong hands?
Your Appid is public information. The secret key should remain private.
Related
as a web developer i am periodically exposed to the matter of cookie consents and their compliance with GDPR. I understand the question of which cookie types require a consent and, developing my own cookie consent solutions, i know how to get it technically done.
Usually i try to avoid any cookies besides technically necessary cookies. When third-party or tracking cookies become unavoidable, i ask the user's consent before they are placed and i store this consent in a first-party cookie, something like third_party_cookie_consent = 1.
The page about the Cookie compliance of the GDPR says under To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must: […] Document and store consent received from users.
But how are we exactly required to document and store the consent of a user? Is it enough to place a cookie on the user's machine which expresses whether consent was given? Do i have to log something to my logs and, if yes, what?
I did some research but i could not find sufficient information on this particular question of documenting a cookie consent. Thanks for any help.
I am interested how to handle AccessToken expiration when using the Facebook SDK for Android.
According to documentation of Access Tokens they are saying that developers don't need to worry about token expiration : "When using iOS, Android or our JavaScript SDK, the SDK will handle making sure that tokens are refreshed before they expire."
Assumption A : I assume that the quote above implies that AccessToken.getCurrentAccessToken() returns always non-expired access token, or is my assumption wrong ??
In the Facebook Login for Android documentation they are saying : "If you want your app to keep up with the current access token and profile, you can implement AccessTokenTracker and ProfileTracker classes."
My question is: Why should I implement AccessTokenTracker, if (according to 1 ) the SDK make sure that token are refreshed before they expire ?
If my assumption is correct, then the getCurrentAccessToken() returns always the non-expired token, so there should be no reason to track the AccessToken ?
Thank you for help!
EDIT
My assumption A is wrong, because according to this docu the person has to login again if the access token is invalid.
Typically you would use the AccessTokenTracker if you also save the access token elsewhere. Let's say that you keep the access token server side (so you can make requests offline), and the SDK updates the token with a refresh, in that case, you'll want to update the token on your server as well, this allows you to do that.
Alternatively, if your app allows people to log off, or to switch to a different user, you can use the AccessTokenTracker and ProfileTracker to alert you when the user changes.
Reading the API docs (https://developers.facebook.com/docs/reference/api/page/) I assumed that in order to read a public pages status updates, I would require "any valid access_token or user access_token" (quoting the docs here).
However, if I try to get the status updates for the public page, using my app access token, I receive the following response: "A user access token is required to request this resource"
GET 20531316728/statuses?access_token=myappaccesstoken
So, my question is if the docs are just plain wrong, I'm doing something wrong or whatever?
There is a clarification that needs to occur by Facebook [1]. The docs are either outdated or Facebook has changed their mind on handling these updates which is interesting seeing that
GET /PAGE_ID/feed?access_token=myappaccesstoken
Works (and holds all the statuses). I was told by someone in IRC #facebook that maybe the statuses call is more expensive (Not too bought on this idea).
My current stance is that either
any valid access_token or user access_token was supposed to imply those excluding app tokens
Facebook realizes that one can bypass the OAuth Flow by using an app token on pages when Facebook desired some form of authentication.
In the end, these are all assumptions.
I haven't been able to get a clear answer out of any Facebook employee as to whether this is indeed a bug or an intentional removal of this feature.
[1] - http://developers.facebook.com/bugs/480742545315442
Beginner here, and I've been getting lost in the Facebook developer docs and Google for hours. I'm sure this is a simple question, but I just need some direction.
What I'm trying to do: query latest post of a page owner from a public Facebook page with JavaScript and parse it to display within my own HTML (can't use a Social Plugin - I need custom control over HTML/CSS).
What I've got working so far:
var token = '<my_token>';
var query = 'fields=posts.limit(1)';
var request = 'https://graph.facebook.com/[mypage]?' + query + '&access_token=' + token;
$.getJSON(request, function(response) {
alert(response.posts.data[0].message);
});
This does work, however, the Access Token debugger says my access_token is going to expire in 2 months. Why? It's a public Facebook page, and I only want to query the page owner's latest comment. Do I really need to create a Facebook App and login via PHP to just to access this public information?
I'm doing the exact same thing with a Twitter feed and all I had to do was $.getJSON http://api.twitter.com/1/statuses/user_timeline/.json, completely in JavaScript.
It seems getting similar information from Facebook is much more difficult, but perhaps I'm going about it the wrong way?
This does work, however, the Access Token debugger says my access_token is going to expire in 2 months. Why?
Because that’s what user access tokens do.
Do I really need to create a Facebook App and login via PHP to just to access this public information?
For pages that are restricted in any way (based on age, country or for alcohol related content) you have to use a user access token, because that’s the only way Facebook can figure out whether you’re actually allowed to see the content or not.
If it’s your own page, then you could generate a page access token – those don’t expire by default, if you use a long-lived user access token to get them.
But you don’t want to expose that kind of token in client-side JavaScript, because everyone visiting your site could steal it from there and act on behalf of your page then.
Wrapping my old-fashioned head around OAuth....
Aside from the request/response mechanics and the Authorize / Authenticate round trips (which I think I underdstand) I am struggling with mapping my MyUser object (whatever that may contain) to an OAuth token, if (actually when, not if) the user kills any cookies (encrypted or otherwise) I may have dropped on the browser.
I get MyUser info at the original Login (call it 'registration' for my site) but now MyUser comes back, all cookies are gone so he is just 'user'. Fair enough, user has to do an OAuth login again, but now I have no way of associating the new Token / Secret with MyUser data.
What am I missing?
--- edit Aug 2/2012 -----
Let me restate this (I am pretty sure I am being thick about this but guess thats what here is for):
As pointed out in Replies, each OAuth provider has their own mechanism. We can navigate those and get back an access Token for the user.
Lets say Hero registers on my site using Facebook. FB returns his FB UserID and Name along with the Access Token. We are clever enough to request and get his FB Email, and we ask him some other registration q's before letting him in. Then we save this in our datastore (linked to our own User record):
OurUserId : 1234
oAuthProviderName : Facebook
oAUthProviderUserId: xxxxx
oAuthProviderUserEmail: hero#mlb.com
oAuthProviderUserName: iBeHero
oAuthToken: entracingly-unique-string-of-goop
oAuthSecret: moredata
.... etc.
and set a cookie to identify him as our user# 1234.
Now Hero goes away, kills his cookies for some reason, and then comes back to us.
Now he decides to Log In with Twitter. I have no cookie so I don't know who he is, and we go through the process again.
To me he looks like a new user so once Twitter sends me a Token I start asking him Registration questions, clearly not right.
Turns out Twitter doesn't return an Email address so I can't match that, and even if they did (I think almost everyone else does) Hero likley has more than one Email.
It seems to me that the only tie I have between the two (or however many) logins is whatever cookies I set that have not been deleted.
Are we saying that the entire OAuth2.0 mechanism hangs on this? I can't belive that is right, but don't see another way, so I must be missing something , yes?
If you're using OAuth as a login mechanism as well, then make sure whichever provider you're talking to has some way of returning back a stable ID for a user. That ID is the key you'd use for looking up the user in your DB.
Different providers have different ways of doing this. For Google, details on how to do authentication with OAuth 2.0 are here. For Twitter, they use OAuth 1.0 and return the user ID when exchanging the code for an access token. Facebook has its own way of doing it as well.