I am unclear on whether Facebook requests (user to user) can only be used for Games Apps - or whether other web based FB Apps can use requests also.
We have a web based FB App - on our website a user can Connect with FB and start a fundraising campaign. We wish for the user to then be able to invite FB friends to view their campaign. But we are unclear how we can possibly communicate with our registered users FB friends. Can we use requests for this?
Any advice appreciated
If you're simply wanting to invite users to your app, the Requests Dialog is the easiest way to do that:
FB.ui({method: 'apprequests',
message: 'My Great Request'
}, yourCallbackFunction);
Related
I've recently been seeing this all over the web these days:
Earlier we used to have sign in with Google, Facebook, Twitter, etc., buttons using OAuth and what not but this something new as this is very much aware of all the accounts that you are logged in with on Google in your browser and all you have to do is to just click the click on the one you want to use.
I am curious to know what is this called, What technologies does it use and how can I incorporate this into my own websites?
Google uses OAuth 2.0 only for third-party authentication using its accounts.
But the JS that is responsible for initiating this flow is improvised. It now detects the state of signin, and shows the list of accounts that are already logged-in or were logged-in at this device. The user selects one of the accounts, and from there the sign-in process is the same standard OAuth flow.
Reference:
https://developers.google.com/identity/sign-in/web/sign-in
https://developers.google.com/identity/sign-in/web/session-state
("Superpoints" and "Megashop" used below are fake business names)
I am using Firebase Auth to authenticate users in my (Android) app ("Superpoints"). My users can earn points for using my app, they can later spend when paying for something.
I want to integrate with a partner ("Megashop") in the following way:
Alice opens the Superpoints app on her Android phone.
In the app she clicks on "Megashop campaigns".
A web browser or a web view (whichever is fine for me) for superpoints.megashop.com opens. The opened page has a button like "Login with Superpoints account".
Alice clicks on "Login with Superpoints account" and provides her credentials (this can be email+password, log in with phone number, log in with Google Account).
The system checks if Alice's accounts exists in my user database and sends back the response to Megashop with Alice's Superpoints membership ID and her balance (for example: "{ memberId: 100500, points: 42 }").
After Alice purchases something in Megashop, their checkout hook sends a request to HTTPS endpoint for a cloud function that adds an amount of points (for example, 250 points) to Alice's balance (something like https://app.superpoints.com/accrual?partner=megashop&memberId=100500&points=250).
On my app's website, I do the authentication using FirebaseUI Auth, in the app I'm also using FirebaseUI (library for Android).
Now finally the questions: How to authenticate my users on a third party's site? What are the best practices? Should I build some kind of a gateway for the third party, or is there an easier way for doing that?
This is a classic case of OAuth.
Firebase Auth, as far as I know, does not support acting as a OAuth provider.
I' working on a login page where I want to use WeChat as login option and I have a WeChat official account. In my understanding of the documentation it's supposed that the next link would generate a QR code to scan and after the user authorization redirects somewhere else...:
https://open.weixin.qq.com/connect/qrconnect?appid=wx8bxxx21bxxxx0fxxx&redirect_uri=https://myhostname/oauth2.php&response_type=code&scope=snsapi_login&state=101#wechat_redirect
But the link doesn't work. I don't know if I'm missing something or maybe the site https://myhostname/oauth2.php has to have a previous authorization call to WeChat... ???
Somebody has worked with this WeChat stuff?
Thanks in advance!
I realized later that you must have a WeChat Open Platform Account, where you register your web application, wait for approval, and then give it the login permission to get access to that QR Code functionality
If you are working on how to login web page after scanning qrcode of an offical account on the web page.
There are two ways to approach this.
Scan service official account
You can generate the qrcode injected with parameters. then after you scan, there will be an event triggered in your backend.
Capture the event and extract the parameter, then do the authentication in the way you want.
The basic workflow:
app frontend request your backend for a session.
app backend call wechat api to generate a qrcode, injecte with any parameter you like.
app frontend show the qrcode.
user scan the qrcode of the service account.
if user did not subscribe, then subscribe the official account.
backend receive the scan event, extract the info and authenticate the user.
Scan subscription official account
In subscription get less programing support, but you can still achieve it by design a random code.
The basic workflow:
app frontend request your backend for a session.
app backend generate a random code.
app frontend show the qrcode of the official account with a random code.
user scan the qrcode of the subscription official account.
if user did not subscribe, then subscribe the official account.
user input the random code in the official account message UI.
backend receive the code and authenticate the user.
attach user info in your db with openid if you want.
Use an open platform to do it in the smart way.
If you doing this for one official account, it is ok. Let's say if you want to reuse this for multiple official accounts.
Maybe can use the open platform way, so you can have only 1 backend to handle multiple accounts.
Wechat offer an open platform, here is the get start doc.
Register an open platform need to pay 300RMB for verification, more troublesome part is, you need to register a company to be qualified to pay.
So maybe using a third party open platform will be a better choice. Such as Dagui Qrcode Tool.
Key take aways
Use parameter Qrcode for service official account login
Use account qrcode with random code for subscription official account login
Use open platform for scaling
Authentication is flexible, the key is the event exchange flow.
More secret technology related to wechat development, can refer this article
You need to set the OAuth2.0 web authorization domain to your subdomain in your redirect url, such as: wechat.myredirectdomain.com.
This setting is hidden on the WeChat official account dev setting dashboard, some where in between the API list, make sure you set it properly.
This may seem like a totally idiotic question but I am looking at writing a web app/service that will utilize google's calendar API's and I needed to see if I have the ability to write to a users calendar when the user isn't logged into there google account. I couldn't find any clear documentation that illustrated whether or not I could do this or not. I pictured the authorization process something the user agrees to when they sign up for my site and then my app can go add things to there google calendar. Does anyone know if this is possible? If so, can someone hook me up with a link that illustrates how that works?
Thanks in advance
You're thinking about "logged in" wrong.
Because web connections don't persist between requests, any web-site or web-service is checking headers such as the Authorization header and/or Cookie header (depending on what authorisation method is used), with each and every request and matching the request to a user.
Hence logging in* means that the web client (browser or whatever) is set to use the details that relate to a particular user in making the request.
When you use the API, the authorisation information you send, is performing the same job. As such, when the user is using your API they are logged in through your API, whether they're logged in through a web page or other application or not.
E.g.:
My web browser is currently logged into google to an account I use for work stuff.
My mail client is logged into google calendar to an account I use for private stuff.
When I look at google calendar, I see that I don't have any calendars (I don't use it on my work account).
When I look at Thunderbird, I see my calendars.
If I peek at the traffic being sent by the browser and mail client, on both I see headers like:
Authorization: GoogleLogin auth=...stuff I'm not going to share or it would help you impersonate me
So, I'm "logged in" on Thunderbird because the code using the API logs me in itself.
Indeed, the same application can access multiple accounts and be "logged in" to all of them, as long as it has the authentication details to do so.
*Strictly, some would argue that "logged in" isn't the correct term at all, and refers to different sorts of access mechanism where there is state on the connection. Whatever about that opinion, we use the metaphor of being or not being logged in, because users understand it.
The answer to your question is yes. Use OAuth 2 and the Authorization Code flow (web server flow), with offline enabled. Store the refresh tokens (which last indefinitely until the user has revoked), and you'll be able to upload events to Google Calendar even when the user isn't currently logged in.
More info: https://developers.google.com/accounts/docs/OAuth2WebServer#offline
Credits to Ryan Boyd for this note.
I have to implement facebook login and also want to get logged in user's information like birthday, firstname, Email address.
I have already done some other stuff like recent activities etc of facebook using javascript SDK of facebook.
i am developing application in ASP.Net (C#).
How can i get user information, Please provide me any idea.
Once the user's logged in and you asked for extended permissions (you can use Javascript to do that) you get an access token and then you can call the Facebook graph API. This is server side.
FB do not offer a C# SDK for their API so you will have to find one (or make you own)
see http://developers.facebook.com/docs/api