I am just getting started on automation of posting messages on FB fan page on behalf of Admin(For e.g. I run a code in eclipse and It should post message on page). I read couple of similar questions on stack overflow, went through docs on FB API's but seems I am lost in this vast sea. I have few doubts.
Do I need to create an APP on Facebook that would interact with it's APIs. Can I not directly interact with them in my code(Java)?
What's flow of request to post status? My code -> My FB App -> My page or My Code -> My FB page
I see two different types of authentication, Server side and Client side. Are they both required or I can choose one of them.
Any link to some sample code for this would be extremely helpful.
I need to present this in a competition and have got only 1-2 days and figuring out stuff is taking too much time.
Any help would be appreciated.
Thanks
1 You need a Facebook application through which you're communicating with Facebook. An app can request various permissions and when granted by the user, you can access the user's data or pages. Of particular interest will be the manage_pages permission (see an overview of permissions).
2 The basic steps are: The app requests permissions to do something, the user grants them and after that you obtain an access token which you can use to interact with the API. So initially, the flow is: your code > the app (and the user) > Facebook API. After that, it's your code > Facebook API (with the access token passed as GET parameter in the URL).
The above is if you're doing user related things. For pages, it works somewhat the same but you still need a user access token. If you have manage_pages permission, you can visit /me/accounts (with the user access token) and you'll get a response that contains a page access token. That token can then be used to perform actions on the page on behalf of that user. This only works if the user is an admin of the page.
3 I have only used client side authentication so far but it's also possible to do server side only. Some access tokens live longer than others. For example, a user access token is valid as long as the user is signed into Facebook. But other access token (such as for pages) live longer. You can then store the access token and use it repeatedly.
4 At the time of writing, I'm not familiar with Java libraries for the Facebook API so I can't help you here.
Related
I have a website and my own server and database, I also have an native Android app. I need to allow users to be able to sign-in with their account from the website inside the app in order to sync information and other things they need to use. I've been stuck for a couple of days trying to figure out how to do that. I've found a lot of content regarding OAuth and AppAuth but they are focused on using an OAuth API to the job. Back on my server, I use Hybridauth for social login, but users can also register directly on the site. How would be the proper way to allow my users to sign-in to their website account through the Android app?
You're overthinking it. OAuth isn't meant for users to log in, it's meant to enable external services to access data on behalf of a user.
To make a user log in? Create a POST endpoint on your webservice named login. It should take two parameters- username and password. The body of the login service should salt and hash the password, then check if the hash equals the hash stored in the db for the same user. If so, you're logged in and you return a success packet with a unique token to authenticate you for later requests. If not, you return a failure. The Android app would ask the user for their data, then send a request to the endpoint. On success it saves the token and sends it in all future requests to authenticate yourself, either as a parameter or as a header.
This is of course the simplest possible version. More advanced features would include expiring of login tokens, refresh tokens, possible lockout if you have too many bad requests, etc. But the above is the basic idea. Although really I'd look for an open source solution you can take, as there's quite a lot of complexity when you get into all the stuff mentioned above, and its a place where a mistake that leads to a vulnerability is probably the most dangerous.
We are developing a Java application that is supposed to show models from users store.
initially, I'm trying to allow users to login using their autodesk account, and check if they are entitled to access my app.
I couldn't find any good example to show how it is done, I just want to confirm that what I will be doing is the recommended thing or if there is better options.
First, on app start, I will show an embedded webbrowser that will open
"https://developer.api.autodesk.com/authentication/v1/authorize?response_type=code&client_id=XXX&redirect_uri=XXX&scope=XXX"
the app will get the url from our server (so not saved locally) and the call back is pointing to an api on our server. then as user login and consent, will get the code from the url, close the login dialog and continue to get the bearer token using plain rest apis to /authentication/v1/gettoken.
As I said, not 100% sure if this is approved way or not or even if it is doable or not. so thought to check before we implement it.
After that I will just use rest apis to browse and get the model.
any thoughts or complains ?
Thanks in advance
Rest assured that the workflow being proposed here is actually orthodoxical and well “approved” by our official tutorials:
https://forge.autodesk.com/en/docs/oauth/v2/tutorials/get-3-legged-token/
http://learnforge.autodesk.io/#/oauth/3legged/
Unfortunaly the code sample for that bit is in node and we are still working on a Java equilvalent
Some of our endpoints require 3-legged oauth to access personal data - see here for an example and you can always refer to the authentication context section of each endpoint for the oauth flow required.
I have a facebook page, a facebook app and an administrator facebook account of that page.
Now i want to publish a link on that page (i don't care how).
Since now i did that by getting a user access token of the admin for my app, then get the page, get a access token for that and then post with the admin on the page via my app.
Now the token expired and i read in the documentation that i can:
For example, if a user granted your app publish_stream permissions, your app can use an app access token to publish a status update on their behalf.
So i got the application access token.
But now i don't know how to go on, how can i publish on the page's wall with that token ?
I believe the application access token is for publishing on behalf of users. For pages, you should be using the page access token.
https://developers.facebook.com/docs/reference/api/page/
As described in the link above
To perform the following operations as a Page, and not the current user, you must use the Page's access token, not the user access token commonly used for reading Graph API objects. This access token can be retrieved by issuing an HTTP GET to /USER_ID/accounts with the manage_pages permission. This will return a list of Pages (including application profile Pages) to which the user has administrative access, along with access_tokens for those Pages. Alternatively, you can get a page access token for a single, specific, page by issuing an HTTP GET to /PAGE_ID?fields=access_token with the manage_pages permission, as described above. Publishing to a Page also requires the publish_stream permission, unless otherwise noted.
After more research i think there is no way to publish on pages with only a app token.
It is still possible to post on the wall of the users that authorized the app, but not on their pages ...
I'm trying to write a facebook application using Java tomcat with RestFB.
the restfb documentation shows the following:
Create a Facebook Application
Request https://graph.facebook.com/oauth/authorize?client_id=MY_API_KEY& redirect_uri=http://www.facebook.com/connect/login_success.html& scope=publish_stream,offline_access,create_event
Facebook will redirect you to http://www.facebook.com/connect/login_success.html? code=MY_VERIFICATION_CODE
Request https://graph.facebook.com/oauth/access_token?client_id=MY_API_KEY& redirect_uri=http://www.facebook.com/connect/login_success.html& client_secret=MY_APP_SECRET&code=MY_VERIFICATION_CODE
Facebook will respond with access_token=MY_ACCESS_TOKEN
I think that i may be looking at the wrong instructions and this is for a facebook connect or anything else besides an actual facebook application inside apps.facebook.com/app_name.
I would really appreciate any relevant information regarding the issue. I'm simply trying to create a simple facebook application that prints the name of the user.
In general after I fetch the acces token of the user i can do the following:
FacebookClient facebookClient = new DefaultFacebookClient(MY_ACCESS_TOKEN);
User user = facebookClient.fetchObject("me", User.class);
out.println("User name: " + user.getName());
My problem is how do i properly fetch the access token of the user? in the information i showed at the top of the post, it shows that i need to make 2 requests. the first for the code and the other for the acess token. and the request for the access token actually reveals my app secret key to the user because each time i forward him to a different page the user can easily view the get and set parameters.
so i guess i'm pretty lost here.
please help! :)
thanks
update after comments
with these instructions i need two times to redirect the user's page. first to get the code and then to get the access token. the user can see these two redirections and because of that he can easily see the facebook application key and secret key from the get parameters. how do i make sure that these steps are hidden from the user?
As stated in the comments, these are the steps you need to take to access Facebook's graph API. However, to answer your second question:
"How do I make sure that these steps
are hidden from the user?"
Only the first request should be performed by the user's browser. The purpose being that Facebook wants to make sure it is the sole authorization provide for the user's Facebook identity. Depending on the application you are writing, you would either use the redirect URL to point to the default redirect URL that you specified, or specify a custom url on your website that you will use to retrieve the token. The first approach is typically used by stand-alone applications such as mobile devices that can control how the browser handles redirects. The second approach would be used for a custom web-based application. Once you receive the access token, then you would perform the second operation within your code (using your favorite http apis) and not through the browser. The redirect on the access_token url is compared against the redirect url specified on the authentication-url. Facebook uses it for validation only and does not perform an actual redirect on the successful completion of the request.
Here are the high-level steps:
Redirect user's browser to the authentication-url specifying the appropriate redirect_uri
Retrieve verification token from redirected browser request
Perform access_token retrieval using your preferred HTTP framework (no user input required)
Parse results and retrieve access token
Initial restfb with token and use as needed
The REST API has been deprecated. You should look in to the JavaScript and Graph APIs instead - there is a good article on this here: http://ocpsoft.org/opensource/creating-a-facebook-app-setup-and-tool-installation/ (Three part series, very detailed :)
I've developed a Chrome Web Store app using Google App Engine. I'd like to follow these instructions: http://code.google.com/chrome/webstore/docs/identify_user.html#realm
But I need to call User::getFederatedIdentity() so that I can call the Chrome Web Store licensing server and find out if the user has purchased my app.
The trouble with that is, in order for UserService::getCurrentUser() to work, the user needs to be logged in.
The trouble with that is, when I call UserService::createLoginURL() to generate a redirect URL, the redirect URL takes the user to... the OpenID approval screen. This happens even though I've set the App's OpenID realm, as per the instructions in the page linked above.
Is there a way for me to do what I want but still use the User and UserService classes?
(Possibly a legit alternate phrasing for this entire question: using Google App Engine's UserService class, is there a way to request permission from the user to access their federated identiy, without also requesting permission to access their email address?)
Thanks in advance!
Please reread how to skip the OpenID approval screen. Have you set the realm? And are you asking for any information other than the URL? If you request the user's email address (or other information), then it is necessary to inform the user and obtain their permission to grant access to that information.