Facebook open graph - what is session secret and how to find it? - facebook-graph-api

can someone please enlighten me on what session secret is and how to find it?

A session secret key is used for signing request to Facebook api functions. It is used in situations where it can be disclosed, for example in browser executed javascript code which makes API calls and needs to sign them.
Facebook have not yet provided a way to get a session secret key in the new graph API so you need to enable 'deprecated api methods' under your app settings and then you can use the old REST api call auth.promoteSession to get your session secret key server-side, then embed that key in the code to be used client-side.

Related

Web API authentication using OAuth 2.0 token and Azure Active Directory (Without Authentication Server)

Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?
Here is the scenario:
A client app gets an Microsoft access_token from some external service.
Client app will make a call to some secured web API and pass that access_token along with the request header
If the access_token passed by client is valid then API will provide response to the client.
Is there a way to validate that access_token on API side?
My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:
But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?
You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory
Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API
This library is also available, but I think OWIN is supposed to have replaced it in general.
Also check out this blog post, which has a pretty great deep dive into token validation.

Facebook Api Check Access Token Without Hardcoding App Secret

I'm building a manual login flow for my App which is integrating some facebook functionality.
I need to check when the current access_token of the user will expire.
The API documentary says I should do this call:
GET graph.facebook.com/debug_token?
input_token={token-to-inspect} &access_token={app-token-or-admin-token}
So I did this in C#:
Uri inspectAccessTokenUri = new Uri("http://graph.facebook.com/debug_token?input_token="+access_token+"&"); //IDK which value should have the last parameter
HttpWebRequest checkToken = (HttpWebRequest)WebRequest.Create(inspectAccessTokenUri);
var response = await checkToken.GetResponseAsync();
Stream stream = response.GetResponseStream();
StreamReader reader = new StreamReader(stream);
string data = reader.ReadToEnd();
Debug.WriteLine(data);
The last parameter should be the app-token:
BUT: Of course I looked up how to get the app-token and facebook says:
Note that because this request uses your app secret, it must never be
made in client-side code or in an app binary that could be decompiled.
It is important that your app secret is never shared with anyone.
Therefore, this API call should only be made using server-side code.
(Facebook Graph API Documentation 1.1.16)
So my question: Can I check the token without the app-token or hardcoding the app-secret?
App secret is usually used by the server-side app, we don't use it in our UWP app, it could be decompiled.
Read the official doc about FB Graph Debug-Token, this can only be used when you debug your app, for example if you want to check the metadata about a given access token, after you publish your app, your code will not relay on it.
In an UWP app, we use WebAuthenticationBroker class to connect to OAuth providers such as Facebook, Flickr, Google, and Twitter. Maintenance is need during using OAuth connections. For example, expires information is included in the access token, when we use OAuth protocol for authentication and authorization, we need to refresh the access token after it expired.
Due to these conditions, you may reconsider what you can do in an UWP app and which API you should choose.
If the app-token is expired you will get a facebook response error. And you can catch this exception to deal with the situation you want. In this way you don't need to make a request with your app secret.
You can also use fb-uwp sdk that contains AccessTokenData for authenticated users

Where do I get Client Secret for Google Admin SDK?

This documentation: https://developers.google.com/admin-sdk/directory/v1/quickstart/quickstart-java#step_1_enable_the_admin_sdk_directory_api
Mentions that I need to have client secret, and the code sample lower on that page uses client secret.
However, when i go to APIs and auth/Credentials here https://console.developers.google.com/project/[proj]/apiui/credential#
I only can find clientId and private key instead.
Is there some other place I should get client secret from?
Google API Console is here
APIs and Auth (left)
Credentials Submenu
After I created an OAuth, my information was there.
(by my information was there, I mean successful showing of client secret, etc)
I used wrong type of API, I need web API for that, but I used server API when I was setting up Authentication. Adding web API for authentication added client secret for me.

get Key production in Api manager

I'm working with WSO2 Api Manager version 1.6 and I need to obtain by a REST (or SOAP) service the Access Token (of Key Production) of the current suscription of an application.
Is it possible to obtain that key giving as input parameters user/pass of consumer (suscriber) user?
There is token generation and renew method from client side,however you need consumer and secret key to generate this Token.
http://docs.wso2.org/display/AM160/Token+APIs
Months ago I was working on that. I investigate trying with APIKeyMgtSubscriberService?wsdl. Try to call function getApplicationAccessToken by Soap UI. It returns keys you need, but I don't know why in my case returns some keys which are not equal to keys showed on the web interface.
Hope it helps.

How to authorize user in RESTful request?

From the posts about REST services, I see that it should not be used sessions together with REST, and with every request there is need to send user credentials to the REST service. But I don't see that somebody continues then how to make the authorization in next requests after login.
In my project, I authenticate (login) the user, checking his credentials from database server.
If with every REST request also comes user credentials again, does this mean that, for any need of authorization after login, I need to check the credentials again from the database?
This means, after login, with almost every click and surfing pages, I need to access to the database to check the user credentials, just like I do it for login.
Or...
Am I missing some thing?
Is there another way to remember in the server side that the user had already logged in before and thus is authorised?
Do I keep some secret key related to the user in the server, and then check this etc.? But, does not this mean keeping a session?
REST => Not Session => Send credentials with every request
Does the above mean, => Authorize the user just like in the authentication ?
Or what are other alternatives?
Thank you for clarifications.
I think that this is the best approach:
REST => Not Session => Send credentials with every request
Take a look on OAuth. The version 1.0 may be useful for you.
Spring Security already have implementations for OAuth in Java.
If with every REST request also comes user credentials again, does this mean that, for any need of authorization after login, I need to check the credentials again from the database?
You have to authenticate user on each request, but whether authentication uses database or not depends on implementation. By the way, you also have to then authorize the request for the authenticated user.
Do I keep some secret key related to the user in the server, and then check this etc.? But, does not this mean keeping a session?
You can have some secret key known only to the user as an alternative to username-password pair and use this secret key for authentication.
The presence of a secret key doesn't mean keeping a session, because it is not necessarily change on a per session basis.
In my project, I authenticate (login) the user, checking his credentials from database server.
Login is not authentication, it's usually a request for a secret key / session key done using username-password pair for authentication