I am working on a Windows Phone app that utilizes the Facebook API. To do that I need the user to login and authorize my app, so that I can get an access_token. I've already done that, it works fine.
The question: how to keep using the Facebook API on the next launch of the app without having the user to log in again?
What I do: When the user logs in I save the access_token and the expiration time. Later, I can use the access_token when making API calls. This is all fine.
The problem: with offline_access not working anymore, the access tokens I get are valid for 60 days. This means that after 60 days they will stop working. Can I do something to renew those tokens without asking the user to login again?
My research:
I read the documentation, but it seems to mention only Android and iOS. While I assume it would be similar for Windows Phone, I am not able to find out what to do. The Facebook libraries for those other platforms have something like:
facebook.extendAccessTokenIfNeeded(this, null);
I was not able to find similar method for Windows Phone. While I read somewhere that this does not actually work for Android, it hints that there must be a way to do it.
I read about the new endpoint allowing renewing of access tokens, but it seems to only be able to extend short-lived tokens to long-lived. For me it is a bit unclear from the documentation here(Section 4):
https://developers.facebook.com/roadmap/offline-access-removal/
Any help is appreciated, thanks.
Follow the Offine Access Removal Guide on the link you provided. It has the API Call you can use to get a long-lived Access Token for the user - this is the replacement of offline_access.
Specifically, see Scenario 4.
In theory, Windows Mobile should fall under Exception 2 / 3. See if the Windows Mobile SDK has an option to access the access_token in a similar way to iOS and Android.
Related
My objective is to verify a 3rd party app (that uses google for auth/sign-up/sign-in) is connected to a google account, by calling a google API from my google app. Is this possible with the current google APIs? I haven't been able to find any documentation on this which leads me to believe it is not possible, likely for privacy/security reasons.
The best I've come across is a call to: https://www.googleapis.com/oauth2/v1/userinfo?alt=json which doesn't seem to return anything about connected accounts. And https://developers.google.com/admin-sdk/directory/reference/rest/v1/users which is for users in an enterprise domain which doesn't help me as my app is for consumer users.
There is no way for you to know what apps a user is using on their account. Even if its your own app there is no way of knowing. Unless the user has authorized you and you have an access token then you will know they have verified your own app.
Having an api which would tell us what apps a user has authorized IMO would be a bad idea.
I'm a novice developer and use Parse.com to power the backend of my iPhone app.
I was wondering if it was possible to manage Facebook OAuth issues from Parse's cloud code (my backend) using http requests or the Facebook JS SDK.
For example: a user's long-term access token becomes invalidated due to expiration. I would like to be able to generate a new access token on the backend, given that I have access to: the old access token, my app_id, my app_secret, and the user's facebookID.
Q1: is it possible to generate a user access token using an http request? I know that I can generate an app access token, but this is not what I want (https://developers.facebook.com/docs/facebook-login/access-tokens). If it is possible, what is the correct structure for the http request (I've spent several hours trying to find an example and haven't been able to).
Q2: if #1 is not possible, is it possible to use the Facebook JS SDK in Parse Cloud code? Parse has previously stated this is not supported since the Facebook JS SDK assumes/necessitates being executed from a browser, but wouldn't it be possible to mimic a browser and still have this function correctly? If so, please provide example code.
Thanks!
Looks like this question has been answered already here: https://parse.com/questions/cloud-code-how-to-get-current-users-facebook-access-token
Parse.User.current().get('authData')['facebook']
I have a google calendar that I have marked as shared. it stores all appointments for the day.
I have a webpage. from the webpage, the user enters a date and I use the google api (javascript) to pull back all info from my shared calendar for that date and present it to the user.
I also want the user to be able to make appointments during free times on any given day.
problem is, I must be signed in to my google account. if I am NOT signed in, I get a little popup asking for my userid/password.
how do I get rid of that? I had hoped that making the calendar shared and specifying the client ID and api key (assigned via Google's API Console) would have been enough.
I've run across this: http://cornempire.net/2012/01/08/part-2-oauth2-and-configuring-your-application-with-google/ which explains doing this via Oath and refresh tokens in PHP.
unfortunately, I'm doing this in javascript and MUST do it from the client side. is that possible?
I think you should look into using a service acccount for this.
http://code.google.com/p/google-api-php-client/wiki/OAuth2#Service_Accounts
By using a service account you wont have to worry about people loging in. They will have access to the calender for the service account.
Update: I have searched for examples of how to do this in Javascript and have been unable to find any. After considering this issue for a while now i have come to the conculsiton that even if you could use a service account via javascript for security reasons its probably not a good idea.
Unfortuantly this leaves me to beleave that the anwser to your question is No. You cant do this client sided. If you use normal OAuth2 its still going to prompt you for the autentication. You need to try and reconsider a server sidded option. PHP for example
We are developing multiple apps for our client which all can be used using same credentials(credentials of there company portal).
So we want to implement something like single sign on, such that user need not to login each app.
I have already gone through these links
http://msdn.microsoft.com/en-us/library/live/hh826544.aspx
http://stackoverflow.com/questions/5598411/single-sign-on-choices-to-use-with-windows-phone-7
Here is what i need exactly:
step 1.) When user login to one app(say App1), the portal will return a token, ineed to store this token somewhere, such that only authorized apps can access this.
Step 2.) when any other app(of same group) launches it will check on the location for the token and if token exists, it will not demand for credentials.
Step.3) When user logs out from any app, it will remove the token from shared location.
We have already implemented this in IOS using keychain(possibly wrong term as i am not ios developer).This keychain provides a common space for the apps signed with same certificate.
As per my knowledge uptill windows phone 7.5 there is no possibility. Does windows Phone 8 has something for this.
If not i am open to any kind of suggestions to serve the purpose.
P.S. : Security is our major concern, So when you suggest please let us know you think there could be any security concers though hack or phone loss.
Thanks a lot..
I hope to be corrected but this won't work. Apps are isolated and can't share things like data packets and such.
i am not a windows app guy.
but a trick can work.
caution:
following can raise security concerns if API token expiration time limit is not properly considered.
use firesharp / any XMPP service (suitable for windows client) to send api tokens to other devices like notification message.
handle the notification in such a way that token is not displayed.
and also remember, there is no such think as log out in API authorization.
you will have to restrict access with token expiration time limit.
I am building a WP7 Twitter client. The normal OAuth 1.0 flow involves obtaining a request token by navigating a web browser to https://api.twitter.com/1/oauth/authenticate with my app's consumer key; this page will show a login prompt and ask the user to authorize my app to perform actions on their behalf. Upon completion, this page will redirect to a callback URL supplied by my app, with the request token supplied as a parameter.
For web apps this makes sense. I don't understand how this is supposed to work for a standalone mobile/desktop app, though. The Twitter API documentation seems to imply that this should be a feasible option. They do offer an alternative xAuth mechanism that allows an app to gather username/password itself and then supply that directly to obtain an access token. The API documentation points out that this is an inferior option (as it requires the user to trust the app, not just Twitter, with their password), but I don't see how I have any reasonable alternative?
(there is also a PIN-based option, but that's a pretty burdensome solution for the user)
I just want to make sure I'm not missing anything obvious.
"For web apps this makes sense. I don't understand how this is
supposed to work for a standalone mobile/desktop app, though."
Just embed a web browser control in your app, and navigate to the twitter authentication page. Then detect the redirection to the callback url (using the Navigating event) and retrieve the parameter. Many twitter apps do that, it's basically the same as asking the user for the login and password, except that instead of your own controls you're displaying twitter's page.
Nope, you're correct. The option for a mobile/desktop application is either a pin-based option or to use xAuth. Once you have an xAuth application has an access token it is indistinguishable from OAuth (it only changes the authorisation workflow). One thing it does change, and this is very specific to Twitter, is that if you do use xAuth then your application will not be allowed to read or write Direct Messages. See Twitter's The Application Permission Model page for more information.