I'm trying to write a facebook application using Java tomcat with RestFB.
the restfb documentation shows the following:
Create a Facebook Application
Request https://graph.facebook.com/oauth/authorize?client_id=MY_API_KEY& redirect_uri=http://www.facebook.com/connect/login_success.html& scope=publish_stream,offline_access,create_event
Facebook will redirect you to http://www.facebook.com/connect/login_success.html? code=MY_VERIFICATION_CODE
Request https://graph.facebook.com/oauth/access_token?client_id=MY_API_KEY& redirect_uri=http://www.facebook.com/connect/login_success.html& client_secret=MY_APP_SECRET&code=MY_VERIFICATION_CODE
Facebook will respond with access_token=MY_ACCESS_TOKEN
I think that i may be looking at the wrong instructions and this is for a facebook connect or anything else besides an actual facebook application inside apps.facebook.com/app_name.
I would really appreciate any relevant information regarding the issue. I'm simply trying to create a simple facebook application that prints the name of the user.
In general after I fetch the acces token of the user i can do the following:
FacebookClient facebookClient = new DefaultFacebookClient(MY_ACCESS_TOKEN);
User user = facebookClient.fetchObject("me", User.class);
out.println("User name: " + user.getName());
My problem is how do i properly fetch the access token of the user? in the information i showed at the top of the post, it shows that i need to make 2 requests. the first for the code and the other for the acess token. and the request for the access token actually reveals my app secret key to the user because each time i forward him to a different page the user can easily view the get and set parameters.
so i guess i'm pretty lost here.
please help! :)
thanks
update after comments
with these instructions i need two times to redirect the user's page. first to get the code and then to get the access token. the user can see these two redirections and because of that he can easily see the facebook application key and secret key from the get parameters. how do i make sure that these steps are hidden from the user?
As stated in the comments, these are the steps you need to take to access Facebook's graph API. However, to answer your second question:
"How do I make sure that these steps
are hidden from the user?"
Only the first request should be performed by the user's browser. The purpose being that Facebook wants to make sure it is the sole authorization provide for the user's Facebook identity. Depending on the application you are writing, you would either use the redirect URL to point to the default redirect URL that you specified, or specify a custom url on your website that you will use to retrieve the token. The first approach is typically used by stand-alone applications such as mobile devices that can control how the browser handles redirects. The second approach would be used for a custom web-based application. Once you receive the access token, then you would perform the second operation within your code (using your favorite http apis) and not through the browser. The redirect on the access_token url is compared against the redirect url specified on the authentication-url. Facebook uses it for validation only and does not perform an actual redirect on the successful completion of the request.
Here are the high-level steps:
Redirect user's browser to the authentication-url specifying the appropriate redirect_uri
Retrieve verification token from redirected browser request
Perform access_token retrieval using your preferred HTTP framework (no user input required)
Parse results and retrieve access token
Initial restfb with token and use as needed
The REST API has been deprecated. You should look in to the JavaScript and Graph APIs instead - there is a good article on this here: http://ocpsoft.org/opensource/creating-a-facebook-app-setup-and-tool-installation/ (Three part series, very detailed :)
Related
I am working on a solution to read log files from the GCP for an internal process. However, i am having a difficult time trying to generate an Auth Token for the request to grab the logs needed. This is more of a flow\context question rather than a whats wrong with my code one
The key issues i am having is that i do not want to prompt for web-browser authentication. I want to be able to do this all through API request and have no user interaction. Everywhere i have looked and all implementations i have tried, i am prompt for user interaction in some way and that is just not feasible for this solution.
How can this be achieved?
We do not have IAM enabled, so i cannot generate a JWT token.
I am trying to do this through using a Service Account created using client id and client secret.
I have tried getting a "code" to pass into a request to generate an authorization token, but that has been prompting me for user authorization in the browser which will not work, even when I add the query parameter 'prompt' or 'approval_prompt' to none or force.
I feel like i am missing one crucial piece to be able to achieve this flow and any help/guidance will be greatly appreciated.
There are several ways to authenticate API calls. If you want to do it without user interaction, you will need to use a Service Account (more info here). The process would be the following:
You use the client ID and one private key to create a signed JWT and construct an access-token request in the appropriate format. Your application then sends the token request to the Google OAuth 2.0 Authorization Server, which returns an access token. The application uses the token to access a Google API. When the token expires, the application repeats the process.
For this, you can use Client Libraries or you can do it manually with HTTP requests directly. In the docs there is a guide to do so.
We are developing a Java application that is supposed to show models from users store.
initially, I'm trying to allow users to login using their autodesk account, and check if they are entitled to access my app.
I couldn't find any good example to show how it is done, I just want to confirm that what I will be doing is the recommended thing or if there is better options.
First, on app start, I will show an embedded webbrowser that will open
"https://developer.api.autodesk.com/authentication/v1/authorize?response_type=code&client_id=XXX&redirect_uri=XXX&scope=XXX"
the app will get the url from our server (so not saved locally) and the call back is pointing to an api on our server. then as user login and consent, will get the code from the url, close the login dialog and continue to get the bearer token using plain rest apis to /authentication/v1/gettoken.
As I said, not 100% sure if this is approved way or not or even if it is doable or not. so thought to check before we implement it.
After that I will just use rest apis to browse and get the model.
any thoughts or complains ?
Thanks in advance
Rest assured that the workflow being proposed here is actually orthodoxical and well “approved” by our official tutorials:
https://forge.autodesk.com/en/docs/oauth/v2/tutorials/get-3-legged-token/
http://learnforge.autodesk.io/#/oauth/3legged/
Unfortunaly the code sample for that bit is in node and we are still working on a Java equilvalent
Some of our endpoints require 3-legged oauth to access personal data - see here for an example and you can always refer to the authentication context section of each endpoint for the oauth flow required.
Hello everyone!
I am writing an application in Java which retrieves information from Instagram server by their API, accumulates it and builds a visualization map.
The problem is that I cannot automate the authentication process. The official Instagram API documentation states that:
In order to receive an access_token, you must do the following:
Direct the user to our authorization url.
If the user is not logged in, they will be asked to log in.
The user will be asked if they would like to grant your application access to her Instagram data.
The server will redirect the user in one of two ways that you choose:"
So it is a compulsory step for a user to login manually into his/her account. I believe that this is done in order to grant permissions to an app that uses Instagram API on behave of a user, for example, if it makes some posts in his/her account. However, I am not going to use any user's personal account. In fact I set up a seperate account for my application and registered the app (I got client_id, client_secret and set the redirect_uri). So I want only to use those credentials in order to get updated access token and make some REST API posts to Instagram.
What I do now, I make a GET request, receive back a login html page, parse it, insert my account credentials and after I make a POST request I receive the 400 code:
Sending 'GET' request to URL : instagram.com/oauth/authorize/?client_id=CLIENT_ID&redirect_uri=localhost&response_type=code
Response Code : 200
Extracting form data...
Sending 'POST' request to URL : instagram.com/oauth/authorize/?client_id=CLIET_ID&redirect_uri=localhost&response_type=code
Request content:CONTENT&username=LOGIN&password=PASSWORD&=Log+in
Response Code : 302
Sending 'POST' request to URL : www.instagram.com/oauth/authorize/?client_id=CLIENT_ID&redirect_uri=localhost&response_type=code
Request content:CLIENT_ID&username=LOGIN&password=PASSWORD&=Log+in
Response Code : 400
I don't understand why am I redirrected one more time. I am assuming that is because some security issues, maybe some hidden fields... do you have any ideas?
I appriciate any ideas and possible solutions to the problem. Thanks!
As i can understand from the requests it uses oath protocol which is common for google , twitter and more popular site authentication protocol.
Why not trying an oath library such as
https://github.com/google/google-oauth-java-client
I am just getting started on automation of posting messages on FB fan page on behalf of Admin(For e.g. I run a code in eclipse and It should post message on page). I read couple of similar questions on stack overflow, went through docs on FB API's but seems I am lost in this vast sea. I have few doubts.
Do I need to create an APP on Facebook that would interact with it's APIs. Can I not directly interact with them in my code(Java)?
What's flow of request to post status? My code -> My FB App -> My page or My Code -> My FB page
I see two different types of authentication, Server side and Client side. Are they both required or I can choose one of them.
Any link to some sample code for this would be extremely helpful.
I need to present this in a competition and have got only 1-2 days and figuring out stuff is taking too much time.
Any help would be appreciated.
Thanks
1 You need a Facebook application through which you're communicating with Facebook. An app can request various permissions and when granted by the user, you can access the user's data or pages. Of particular interest will be the manage_pages permission (see an overview of permissions).
2 The basic steps are: The app requests permissions to do something, the user grants them and after that you obtain an access token which you can use to interact with the API. So initially, the flow is: your code > the app (and the user) > Facebook API. After that, it's your code > Facebook API (with the access token passed as GET parameter in the URL).
The above is if you're doing user related things. For pages, it works somewhat the same but you still need a user access token. If you have manage_pages permission, you can visit /me/accounts (with the user access token) and you'll get a response that contains a page access token. That token can then be used to perform actions on the page on behalf of that user. This only works if the user is an admin of the page.
3 I have only used client side authentication so far but it's also possible to do server side only. Some access tokens live longer than others. For example, a user access token is valid as long as the user is signed into Facebook. But other access token (such as for pages) live longer. You can then store the access token and use it repeatedly.
4 At the time of writing, I'm not familiar with Java libraries for the Facebook API so I can't help you here.
I am developing a Java application that needs to access personal account Google Data of a user. The development is currently in netbeans on my localhost. I am implementing 3-legged OAuth. And while sending Grant request, it sends me Unauthorized Request Token and then redirects to Callback URL.
While trying to access Access Token, it gives me Error "Error Getting HTTP Response". Now, as per it given in Google Documentation, it is given that "If the application is not registered, Google uses the oauth_callback URL, if set; if it is not set, Google uses the string "anonymous"." Does it mean that I must register my application on Google Apps Engine before granting authorization & accessing request ? Please Help.
For reference : OAuth for Web Applications, OAuth in the Google Data Protocol Client Libraries
Based on your question, it's probably not the registration piece that's causing you trouble. It sounds like you just haven't implemented OAuth correctly — not that doing so is easy. The OAuth process is roughly as follows:
Get a request token. You must pass in a bunch of stuff that declares what kind of stuff you want access to and where you want Google to send the user when they're done granting you access to that data. This is where you pass in your consumer key, which you get by registering. The consumer key will be the string anonymous if you are developing an installed application (i.e., mobile app, desktop app, etc). This is a work-around; the alternative would be to embed your client secret or RSA private key within the application itself, which is a very, very bad idea. If you use 'anonymous', you should absolutely be setting the xoauth_displayname parameter. (Actually, everyone should set this parameter, but it's especially important if you're using anonymous.)
Once you have a request token, you then redirect the user to the special authorization endpoint, passing along the request token key in the query string. Assuming the user grants access, Google will redirect the user back to the callback URL that you associated with your request token. The request token is now authorized, but it can't be used directly just yet.
Once the request token is authorized, you can exchange it for an access token key/secret pair. The access token key/secret can then be used to sign requests for protected resources, such as the private data in the API you're trying to access.
For web applications, registering is almost always a good idea. It makes it much easier for users to manage their access tokens and revoke them if your application misbehaves or if they don't want you to have access anymore. If you don't register, your application will probably show up as a fairly scary-looking 'anonymous' in that list. It's really only installed applications that you wouldn't want to register for. You probably also want to register for an API key. An API key will dramatically increase your rate limit and it will also allow Google to get in touch with you if your application starts to malfunction.
I'd link to the OAuth docs, but you've already found them. Hope my explanation helps!
If you're developing on your local machine, you'll continue to get the same result as above.
For more interesting tests, then yes, you'll have to register your app and push it to the app engine.
Google will check if the domainname of the return-url is registered. You could also modify your dns/host-file to point the domain-name you're using to localhost.