We have developed an app that let user login with facebook. The app has been granted all required permissions to retrieve name, email, gender and age range etc. But our app developer stored only id,name and email while user login. Now we need to retrieve gender and age range of all those users who have logged in the app.
Is there a way to rerun user query to retrieve those data? I am looking to develop an program using Spring-social and RestFB but it needs user login action to retrieve required data which is problem in our case since we cannot recreate login action again.
As long as the user granted public_profile permission to your app, and you have their app-scoped user id, you can make the API call using your app access token.
And if you are looking to request this data for a lot of users, then you should optimize your requests in the following ways:
request the fields you need only: /user-id?fields=id,gender
request data for multiple users in one go: /?ids=user-id-1,user-id-2,user-id-3&fields=fields=id,gender – https://developers.facebook.com/docs/graph-api/using-graph-api/v2.5#multirequests
perhaps even use Batch Requests if necessary, https://developers.facebook.com/docs/graph-api/making-multiple-requests/
Related
For my web app I am trying to allow the user to add multiple payment methods. I am using the user token in order to gain access to the income feature. However, there appears to be no way to allow multiple payment methods because the user token only corresponds to the data most recently entered through Plaid Link and trying to create a second user token fails because you cannot have repeat client user ids. How exactly do you get around this?
I want to create an application that can share my schedule with all users in the same room using google calender api.
When authenticating with web client (oauth), do each user have the authority to view only the information of the user authenticated by his own browser?
For example, suppose user A and user B authenticate with oauth in their respective browsers.
In this case, does User B's browser have permission to view User A's calendar?
Or can I only view my own calendar?
If I want to do the above, do I have to use a backend to hold a per-user access token?
its a little more complicated than that.
When user A run your application the user is displayed a consent screen. Asking them if they are willing to give your application access to their data. Assuming the user gives your application access. Then Your application has access to access that users data.
When user B runs the application then the application will request user B for permission to access their data.
The application has access to user B's data and user A's data. User A does not have access to user B's data.
What you could do is create a page where your application then displays data to both users from each others calendars. If you want this to be a permanent thing then the application could also add user A to user Bs calendar and visa versa. Granting them each access to each other's data.
You may end up with some issues here as FAR As GDPR goes you will need to be sure that the two users realise that they are going to be sharing data for their calendars. Does user A really want to show user B that they have an appointment for a hair transplant operation on monday for example. This is private user data and you are treading on some sensitive data here.
Suppose I have an application in which I have enabled (google) Oauth2 authentication but I want only a few business people can log in to my application with there specific email id and rest of the people can't. How Can we achieve this using Oauth2?
1.) Lots of people have a Google account and can authenticate with Google
2.) I want Only some of them should be authorized to use your app, which maybe deals with business assets
I suspect your requirement is:
Lots of people have a Google account and can authenticate with Google
Only some of them should be authorized to use your app, which maybe deals with corporate assets
In this case I would proceed something like this:
STEP 1: PREREQUISITE USER SETUP
Get a list of users and perform an Administrator Approval step to create them in your product database, perhaps with Name and Email fields.
STEP 2: INCLUDE THE EMAIL SCOPE DURING LOGINS
In the Google login redirect, use scope='openid email' so that you can identify the user via email after login. Allow users to successfully authenticate.
STEP 3: AFTER LOGIN PROCESS THE ACCESS TOKEN
You will then get then be able to get the user's email address from the access token (though you may have to send it to the Google User Info endpoint).
STEP 4: DENY ACCESS WHEN REQUIRED
If you can't find the email associated to the token in your product user data, present a Forbidden message to the user.
FURTHER INFO
See my User Data Write Up for further details on technical options. Note that I have not actually tested this with Google, but I have used the general approach with a few different systems.
I have an agent authentication and there are lots of users under each agent. We want to authenticate with "Oauth" and with an app the agent can login beside an user. we want to login both (user and agent) from the same apps at the same time with "Oauth". What is the suitable way to do this.
You can use one user table for storing user's info (username, password, ...) and you should authenticate based on this table, for many types of user you can use plymorhipc-relationship, for example, you need three tables users, agents, regular_users and users table know type of each user.
I have a Laravel web application for a restaurant with its own user base.
I have another web application for a bookstore with its own different user base.
I would like to create a third application (mostly API, probably using Lumen) that can create accounting records from both the restaurant and the bookstore on every transaction that is made (i.e. when I sell any food, make a POST request to this API to insert a record, and do the same if I sell a book).
How can I guarantee that only authorized users from my web apps (any user) can make requests to my API, without asking them for any additional password?
This is a typical use case for the client credentials grant tokens oauth flow.
From the laravel passport documentation:
The client credentials grant is suitable for machine-to-machine authentication. For example, you might use this grant in a scheduled job which is performing maintenance tasks over an API.
You can create an api-key for each user that has to be present in the post request's header. There should be a table in the API that has these keys stored with the corresponding user_id.
As such you can identify each user based on the given api-key.