Setting / Editting the current FacebookWebContext AccessToken - asp.net

I'm coding an ASP.NET website that works with facebook.
To make my own life easier, I've decided to work with the facebook C# SDK.
At this point, I've already obtained a valid access token, thus I've authorised correctly.
(I have done this through server-side C# code, not via the JavaScript SDK)
I now want to store this access token in the current FacebookWebContext, so that I can use it through the whole website.
However, when I try to write the value in FacebookWebContext.Current.AccessToken, I get the following error:
Property or indexer FacebookWebContext.Current.AccessToken cannot be assigned to -- it is read only
Now, I could try to create a new FacebookWebContext, and set this one as the current one, but the constructor doesn't accept an access token.
How do I put my access token in the current facebook web context?

It should already have the value when you do : FacebookWebContext.Current.AccessToken
Is it empty?

Related

How do OWIN Authentication providers work? How would I write a custom one?

I'm looking at the source code for Microsoft.OWIN.Security.Google and am a bit confused and overwhelmed at how many classes there are to do such a simple thing (redirect, get a cookie, check it).
Can anyone explain how the various components fit together
Middleware
Extensions
etc
... so that I can write a custom provider
After some google-ing and trying different ideas in debugger I ended up with "copy-paste-edit" :)
here is a brief resume of classes
Extensions - nothing special, a helper:
// instead of using
app.Use(typeof(CustomAuthenticationMiddleware), app, options);
// you can use
app.UseCustomAuthentication(options);
Middlware - methods are used to attach authentication to owin pipeline
AuthenticationProvider - As I understand, this could be overriden outside, to be able to change some logic without rewriting whole thing. Has 2 methods:
Authenticated - is called when handler finishes all authentication in AuthenticationHandler.AuthenticateCoreAsync()
ReturnEndpoint which is called in AuthenticationHandler.InvokeAsync, just before external authetication.
But it appeared absolutely useless, when I tried to customize existing providers (google, facebook,...)
Handler - here is all the OAUTH2 functionality.
ApplyResponseChallengeAsync() - generates AuthorizationEndpoint URL and redirects useragent to authorization server
InvokeAsync() - handles the get to RedirectEndpoint (/signin-google or whatever was set up on authorization server) and returns the user to the starting controller(or callback). It is doing a redirect with all needed cookies set up
AuthenticateCoreAsync() - does all server side calls to authorization server. Creates all Identity.Claims necessary to create appropriate cookies before

How to write a webscript to returns the ticket for the current user?

I need to implement a web script that generates a returns the ticket for the current user. This web script is addressed by the URI I use to setup a URLConncetion. The ticket should be contained in the response body, which I need to evaluate in my JSP (or Java code) to extract the ticket. How can be done by a simple JavaScript / FreeMarker web script, using the JavaScript session root scope object to retrieve the ticket, i.e. session.getTicket() ?
Can any one pls write the steps to do?
ticket.get.html.ftl (or json or whatever you want):
${session.ticket}

DotNetOpenAuth AspNet request status_update permission

I am using DotNetOpenAuth.AspNet for Facebook authentication. And everything works well.
However, I have to change app permissions so when a user logins I should request status_update permission. I've changed Permissions in Facebook app configuration, but I didn't get updated Login Window in my application.
Also I tried to handle OAuthWebSecurity.RegisterFacebookClient method call with passing extra data scope attribute, but without any access.
Does someone know how to request additional Facebook permissions using DotNetOpenAuth.AspNet?
EDIT:
When I try to do post I got this error:
(OAuthException - #200) (#200) The user hasn't authorized the application to perform this action
And this is what I get when I try to login to my app:
There is no status_update permission.
Thanks.
At this point you can't. Deep in the innards of DotNetOpenAuth.AspNet there is a class called FacebookClient. Within class is a method which is called "GetServiceLoginUrl".
This method in version 4.3.0 hardcodes the scope to "email".
If you go to the Nuget prerelease repository however, and get the prelease version 4.3.1 from there, the FacebookClient class comes with an additional parameter in the constructor - scope. You can add the permissions in there, and it will add them to the request url.
The pre-release package source is http://teamcity.dotnetopenauth.net:82/guestAuth/app/nuget/v1/FeedService.svc/
new FacebookClient(appId, secret, new[] {"email","manage_pages"});
and you should be good to go.

ASP.NET Webforms User Authorization with Routing

I have a route
routes.MapPageRoute("clientOrder", "Contract/{contractId}/Orders",
"~/ContractOrders.aspx");
The idea is to authorize user to allow access to a certain set of contracts.
For instance user1 has access to pages Contract/001/Orders and Contract/002/Orders
user2 has access only to Contract/003/Orders, etc.
I'm using Forms Authentication and trying restrict access with
CheckUrlAccessForPrinсipal but it checks only physical access to the page not logical.
I tried to check access in Global.asax in Application_AuthorizeRequest but
Request.RequestContext.RouteData there is allways empty so I don't know the requested contractId. I can parse it manually from HttpRequest object. But it is a very dummy and unraliable solution.
Please advice
I believe that the only way is to add some code to check the contractId at the ContractOrders.aspx page level and if the Id doesn't pass the autorization, you manually redirect somewhere to indicate that the access is not granted.
The built-in mechanism always works at the physical level with route maps, so no matter how your route looks like, the engine always checks the access to the resource the route is mapped to, not the route itself.

validating fb cookie using md5 hash

I am trying to incorporate facebook login in my ASP.NET web app and came across the following article which has a code sample for the same.
http://ntotten.com/2010/04/new-facebook-connect-in-csharp/
The following is from the article.
Next, and most importantly, the class
validates the cookie. This validation
uses MD5 hashing to compare the
contents of key appended to the app
secret to the signature that comes in
with the cookie. If these values match
we know the key is valid.we know the key is valid.
Why is Md5 hashing being used for that? Why not SHA or some other algo?
What happens if I don't validate the cookie? Can invalid cookies be sent to the server?
In the article, he throws a new security exception if cookie is invalid? What should the user do in such a case?
I have never really worked with cookies, so I am trying to get the basics right here.
Thanks.
Ok, after some more searching and going through the code, I finally got it.
http://developers.facebook.com/docs/authentication/fb_sig
I recommend you just use the SDK I made to do the verification. http://facebooksdk.codeplex.com. That article was basically the first code I wrote when starting that SDK. The sdk will handle pretty much everything you will need to do to develop facebook app on .Net. We use it where I work on some very large facebook apps hosted on windows azure.
The SDK will handle all the hashing/validating for you. All you need to do is this:
var app = new FacebookApp();
var session = app.Session;
if (session != null) {
// Session is valid
} else {
// Session is not valid
}
The session object is validated before it is returned to you.

Resources