What's the importance of the facebook offline_access permission?
What it is useful for while the application can for example post to the user wall even if he is not logged in (of course after he once allowed access to the application without the offline_access permission).
Thanks.
With the Facebook PHP SDK, you ask for the offline_access permission when generating the login link :
$args['scope'] = 'offline_access';
$loginUrl = $facebook->getLoginUrl($args);
echo 'Login with Facebook';
Then you can make API calls with that token :
require "facebook.php";
$facebook = new Facebook(array(
'appId' => YOUR_APP_ID,
'secret' => YOUR_APP_SECRET,
));
$facebook->setAccessToken(USER_ACCESS_TOKEN);
$facebookdata = $facebook->api('/me');
The offline_permission allows you to make API calls with the token, even when the user has logged out.
Hope that helps !
Facebook Permissions:
Enables your app to perform authorized
requests on behalf of the user at any
time. By default, most access tokens
expire after a short time period to
ensure applications only make requests
on behalf of the user when the are
actively using the application. This
permission makes the access token
returned by our OAuth endpoint
long-lived.
Related
I'm using Firebase v8 with the GoogleAuthProvider.
Firebase documentation provides the following code to authenticate the user.
firebase.auth().signInWithPopup(provider).then((result) => {
/** #type {firebase.auth.OAuthCredential} */
var credential = result.credential;
// This gives you a Google Access Token. You can use it to access the Google API.
var token = credential.accessToken;
// The signed-in user info.
var user = result.user;
// ...
})
Questions
Google's Using OAuth 2.0 to Access Google APIs article recommends incremental authorization (it's not Firebase, but the recommendation is clear)
It is generally a best practice to request scopes incrementally, at
the time access is required, rather than up front. For example, an app
that wants to support saving an event to a calendar should not request
Google Calendar access until the user presses the "Add to Calendar"
button.
AFAICT, there is no way to achieve incremental authorization with Firebase without re-authenticating the user. While scopes can be added to GoogleAuthProvider using addScope, a subsequent call to signInWithPopup is required (i.e. the user is re-authenticated). Is there any way to prompt only for authorization (e.g. Drive access) without re-authenticating?
Assuming the access token is short lived, can the Google ID token be used to obtain a new access token? Is re-authenticating the user the only way to obtain a new access token?
Is there a way to determine whether the access token has expired?
My user has granted all permissions for authentication scopes to google calendar, but the API is returning a 403 error. However, this only happens for some users. Most user do not have any problem.
I reviewed this live with the user as they granted access and can confirm that they did grant access to all the scopes but the issue still persists.
When you are accessing an api endpoint that requests privet user data you must be authorized to access that data. You haven't posted your code or stated which method you are trying to use but as an example lets look at
Events.list in order to use this method the documentation tells us that you need to authorize the user with one of the following scopes
If you authorize your application with a difference scope and not one of these you will get the error message you are seeing Insufficient authentication scopes.
The key to fixing this will be to fix your code to ensure that you are sending the proper scopes, then to revoke the users access and force the system to prompt the user for consent again. The user must see the consent screen again showing the new scope required. Once the user has authorized with the new scope it will work.
It is probably running on an old access token and refresh token without prompting the user for authorize again.
The insufficient scopes means that the user has authorized your application bu
accessToken=LinkedinDialog.oAuthService.getOAuthAccessToken(LinkedinDialog.liToken,verifier;
LinkedinDialog.factory.createLinkedInApiClient(accessToken);
client = factory.createLinkedInApiClient(accessToken);
Person profile = client.getProfileForCurrentUser(EnumSet.of(
ProfileField.ID, ProfileField.FIRST_NAME,
ProfileField.EMAIL_ADDRESS, ProfileField.LAST_NAME
));
Your code doesn't show this so I don't know if this is your issue or not, but access email address requires that you request the r_emailaddress member permission in your OAuth scope when you request your auth token. Check your code and ensure you're asking for that permission.
I'm using OAuth 2.0 to log in users in my website. Just like any kind of website, e.g. Google, Asana, etc. .
What I would like to know is if there is a way to revoke ONLY the access token and not the refresh token when the user logs out.
This is what I do:
when a user logs in, I create a session and obtain the access token (and the refresh token if the user logs in for the first time). When the user logs out, I just invalidate the session but the access token is still valid.
Sure, the access token will invalidate after a while or when the user logs in the web app again but what I want to know is if the access token can be invalidated during the log out process.
There's no generic answer to this question as the implementation of token revocation behavior wrt. related tokens is Authorization Server specific. Google will invalidate the refresh token together with the access token that is being revoked, other implementations may choose not to do so. Yet other implementations may not even offer a way to revoke access tokens at all.
For Google you can revoke the access token upon logout as described in https://developers.google.com/accounts/docs/OAuth2WebServer#tokenrevoke but it will also revoke the associated refresh token. You must then go through the authorization code flow again to get a new refresh token, which you could try with prompt=none to avoid the user being prompted.
to access users info when they are offline,
the user grants offline_access and I store them by this :
$session=$facebook->getSession();
if($session)
{
$access_token=$session['access_token'];
}
$qq=sprintf("insert into `tokens`(`uid`,`access_token`) values ('%s','%s')",$myid,$access_token);
$res1=mysql_query($qq);
but when I try to use graph.facebook.com to collect information from them , it sometimes work and some times doesn't and gives me this error :
Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons
i use graph.facebook.com/[function]?access_token=[the access token saved in DB]
what's my fault?
First, the access token with the offline_access permission can become invalid if :
the user de-authorizes your app in his privacy settings
the user changes his password
You can read a blog post from Facebook about how to handle expired tokens.
Then, you should not :
make API urls directly with URLs, like you do when you call graph.facebook.com/[function]..., but use the Facebook PHP SDK functions to make API calls.
use the version of the PHP SDK you are using ($facebook->getSession() is from v2.x) is deprecated, that might be the causes of your problems.
Here is an answer on Stackoverflow about how to handle offline_access access tokens with the Facebook PHP SDK v3.x.
Hope that helps !