I am kind of new when it comes to fetching users data from social networks,
i need to extend my application and develop some kindof users data collector module
which in generally will be responsible for fetching data on my application users from social networks.
lets assume i have a user X which sign into my application with his facebook account.
can i fetch data on user X from facebook social graph only when he logged into ( my application/ facebook / both/ when ever i want )?
i was reading a beat on spring social framework, at first look it seems exactly the framework i need for my module.
the thing is that in all the examples i saw that each time fetching is required the user should manually allow it or it might be every time he logged into the application , also when looking at the code i think i saw that for each user a service provider
should be created, all the examples implies that spring social is not ment for background daemon which will fetch users data with minimal users attention.
does spring social can answer my requirements?
there are other java open source options?
You can use Spring Social to access a social network on a user's behalf as long as you have a valid OAuth authentication token for that user. It's up to the provider (e.g. Facebook, Twitter, etc.) to dictate how long the tokens remain valid and how you can get new valid tokens. You'll have to read the provider's documentation to determine if the kind of background access you want is allowed by the provider. If it is allowed by the provider, than you ought to be able to use Spring Social to perform the operations you want to perform.
One example is Facebook. Facebook used to let you ask for a permission called "offline_access" which would result in your application receiving an authentication token for the user that would never expire (or at least wouldn't expire for a long time). They are deprecating this, though. For more information about Facebook specifically check this thread on the Spring Social forums:
http://forum.springsource.org/showthread.php?123685-Facebook-offline_access
Related
I am trying to make a mobile app in React-Native and Server in Spring-Boot which have a OAuth2 implemented API endpoints.
My question is how can I integrate Social Logins into my React-Native app which in save a user in my user table. apart from Social login I am using naive register/login flow which require username/password to provide access token from OAuth2 Server. How can I do the same with Just Social Login without prompting user any password or other extra information.
any general solution for this will help regardless of tech I am using.
Thanks
Usually when using social networks to login/sign up you'll get a token returned in your app which you can send via your REST API and on your backend it can then retrieve the users information from the social platform used depending on the granted scopes(e-mail, username, etc...) and store the retrieved values in the database.
Thats basically how it works in general, but if you want to have more information you probably still need to share some more info about your tech used.
Hopefully that helped you out ;)
I have an app idea and need to implement authentication. Because of the nature of my app, I only want linkedin users to be able to access my app.
After reading a bit about spring oauth / spring social / etc, it seems its definitely possible to use something like Linkedin to access MY app. I want a user to see linkedins login button on the first view of my app, create my own version of this user in my app, and then allow the user to use my app.
After my findings I have found the generic flow
*user authenticates via social login button
*client app redirects user to service provider to receive a token
*client uses token and makes another request to service provider to receive auth token
*now my client app can make calls to service provider with auth token of user(this is the part where I am a bit confused)
*I want to use this token to validate calls against MY api NOT linkedins(is this wrong)
I don't really care to make calls to Linkedin on behalf of the user(except to pull user information). I ONLY want linkedin auth so that I know that users who use my auth are valid linkedin users. I thought something similar to Tinder where you MUST have a facebook account, I want to copy that design but couldn't find any hints from google. It seems the examples I find online all use the social login to ultimately use the service providers API.
I also read some stuff about SSO which sounds like what I want, but I definitely plan to add at least 1 more social login down the road. My clients will use a browser or mobile app.
I guess the main question here is once I authenticate a user using social login, am I supposed to use his existing connection to make calls to my API or create a new connection somehow. My goal is when a user does a social login, he now can access MY app, I want to reuse their existing connection without authenticating them into mine(only store their info). I want to follow best practices.
I'm working on application which generates reports and statistics about youtubers channels. I couldn't find in Google docs, how the Youtube User can grant read-only access from my application to his Youtube account? (I'm meant something like facebook application).
I'm a little confused how many ways of authentication are in Google API and which one should I use.
When you want to access private channel data, you will need to use OAuth authorization.
The way this works is that your app redirects clients to Google's authorization page, on which they can pick a YouTube channel associated with their Google account. If they are not already logged-in, they will first be asked by Google to log in (authenticate) and then proceed to the authorization page.
Once on the authorization page, they can decide to grant or refuse your application access to whatever it is your application demands access to. This is the important part: When your application redirects the user to the authorization page, it must specify one or more scopes.
Scopes define sets of actions that an application can perform once the user gives their permission. An application cannot perform operations that aren't within the scope of its powers. The three most important scopes of the YouTube API are:
https://www.googleapis.com/auth/youtube: Manage your YouTube account
https://www.googleapis.com/auth/youtube.readonly: View your YouTube account
https://www.googleapis.com/auth/youtube.upload: Manage your YouTube videos
That means that you can ask users to give your application read-only access to their channel by configuring your app to use the https://www.googleapis.com/auth/youtube.readonly scope. This is an example of what the URL that your application redirects its users to could look like:
https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fyoutube.readonly&
access_type=offline&
redirect_uri=http%3A%2F%2Flocalhost%2Foauth2callback&
response_type=code&
client_id=CLIENT_ID
If the user accepts, your server will be given an authorization code which it can exchange for a set of access and refresh tokens. The resource server (Google, in this case) will know with which scope these tokens were originally obtained and reject any calls outside of the scope.
This is what the authorization page currently looks like:
For more information, please read 'Using OAuth 2.0 for Web Server Applications' on Google Developers.
In a Spring MVC mobile web application i have a requirement to post a custom messgage to social networking sites (Facebbok, linkedIN, Twitter, Google Plus).
ie If the user purchase a product he can share a predefined message "I purchased the product #134" like that.
First i thought of using simple javascript for sharing but it behaves differently in different mobiles and alse not able to post the predefined message. Another option i found is using spring-social.
Can any body suggest me any alternatives or best method to achieve this.
Any help will be appreciated.
It sounds like your question is "Can Spring Social be used to post custom messages to a user's feed? Or can someone suggest alternatives?"
Addressing the first part of that question, yes Spring Social can do this. The specifics of which vary slightly from social API to social API, but in general you'd inject the API binding into the controller where you handle the purchase of a product and at purchase time use that API binding to post the message.
The gotcha, however, is that the user must authorize your application to post stuff. You can't just arbitrarily post messages to any API without the user's permission. Therefore, prior to that purchase being completed, your app will need to obtain a connection (a Spring Social concept that captures that permission and an access token that represents the permission) by redirecting the user to the FB/Twitter/LinkedIn/etc to prompt the user for permission. Spring Social's ConnectController exists to handle that redirect and to obtain the connection for you.
If you've not already had a look, look at https://github.com/spring-projects/spring-social-samples where I have a handful of examples for Spring Social. Most notably, spring-social-showcase-boot is a new example that takes advantage of Spring Boot's simplified programming model to enable Spring Social to work with Facebook, Twitter, and LinkedIn.
I am using spring framework and REST architecutre in my api. Currently I am authenticating my REST call by sending username and password with every call. And users are stored in my database.
Now I plan to use oauth 2.0 for access to my protected resources and also i plan to use Facebook Login as authentication mechanism.
I have read about spring-security-oauth2 and have implemented in a small example it works fine.
I have read about spring-social and also have implemented it and can access facebook api.
Now all I want to know is how can i login with facebook and then use oauth 2.0 to protect my
resources.
Any help will be deeply appreciated.
You would not want to use the Facebook-issued access token to secure your own resources. The Facebook token represents a 3-way agreement between your application, Facebook, and your user. If you want to use OAuth to secure your own resources, that's a completely different agreement between the consumer of those resources, your server, and the user who owns those resources on your server.
Think of it this way: When you are consuming Facebook's API, your application (A) is the consumer, Facebook (FB) is the provider, and there's a common user (U1) that joins those together. But when someone is consuming resources on your server, then your application (A) is in the role of the provider, some other application (X) is the consumer, and there's a common user (U2) who joins those together. It may be the same human (e.g., U1 == U2) that agreed to the arrangement in both cases, but the roles of provider and consumer have changed.
I imagine that there's probably a way to get Spring Security for OAuth to issue the same access token that Facebook issued, but that's not really a good idea.