All geek questions in one place

Implementing Facebook Authentication

I am working on a project that makes full use of facebook authentication (there is no special authentication implementation). The project uses PHP for server-side scripting. I looked around to implement a fast and secure authentication mechanism, but I can not find a detailed description of this topic. Facebook docs are weak and provide only basic information.

Which authentication method would be appropriate? There Javascript SDK and PHP SDK. As I understand it, I have to use the Javascript SDK to login, and then using the PHP SDK I will check my database to verify credentials. But using the Graph API with the PHP SDK is slow. Is there a better way to check a session?

Do I need to check the session server part (PHP-SDK) for each request?

+6
source share
7 answers

What I do for my applications is quite simple and relatively fast compared to any other method I have seen.

  • Check signed_request if exists, analyze it if that happens. If not, set the $ login flag to 1 in PHP
  • I check the user session / cookie to see if the user has previously been authenticated by the application (come back to this later. If it is empty, set $ login to 1.
  • If the login flag is set to 1, send the user to the installation url.
  • The user installs the application and goes to the connector page. This page serves to get access_token and create a session / cookie for the user. This means that you are unlikely to need to verify this access_token credibility for the life of a user session. offline_access also creates new features. You can also save access_token in your db.
  • If you call on Facebook, check the exceptions; if you click on the authentication exception, clear the user session and cookie. Next time, it will force them to update their access_token, even if this process is invisible to the user.

I did this in my applications, in most cases this means that I do not need to make requests to FB to see the validity of access_token, and I do not need to constantly get them on every page view. Our goal was to reduce latency in our applications, but Facebook was the biggest source of latency, so it was significantly reduced.

+9
source

Answering my own question:

I used the Javascript SDK for facebook authentication.

  • If fb authentication is OK and my application is not authenticated, I provide the user with a completed facebook login form.
  • If fb authentication doesn't work, I present the facebook login button.

The registration plugin permits my application, and I call my fblogin.php to check this information using the PHP SDK. When the PHP SDK checks for authorization, it stores this information in a session variable. Therefore, there is no need to check fb authentication for each request.

The login button does the same thing as the "Registration Plugin". These methods use the same server-side functionality, but their presentation is different.

In order to catch facebook exit status, I used the Javascript SDK to authenticate facebook with every request. If the user is logged out, my js code calls fblogout.php and the current session is destroyed. There is a flaw in this method. If a user does not explicitly exit my website, an attacker can do something on behalf of the user only by disconnecting js on one computer.

I can not find the best solution with fast response time.

+1
source

You can use one or the other or both.

You can use the PHP SDK to create the appropriate URL for sending people. And just wake it up by reference. Or you can use Javascript to make Facebook's default login button.

After that, you can use one or another tool to support and verify the session.

I usually use PHP to work with oAuth keys and use the JavaScript SDK to make nice Facebook buttons and some minor less important graph calls to monitor the session.

Everything related to any heavy or multiple chart calls, I click on PHP.

But there is flexibility in doing what you want. You do not need to use the JavaScript SDK to log in.

It is up to you if you want to check the loading of each page or not.

I try to use the Javascript SDK to process it and like Berk if the session is dead. Call the page redirection to exit the script.

+1
source

Starting with the latest versions, PHP and JS SDK can now access the same user session simultaneously (login with JS or PHP [instead of doing both]). Leave this blog post for a more detailed explanation and example.

If you are worried about security, you can probably set the cookie to expire before session_set_cookie_params () .

+1
source

I think you do not need to implement the SDK.

1, you need to get permission from the user in order to access his / her data. Therefore, you need to redirect them to Facebook. These are a few (3-5) lines of code in php.

https://graph.facebook.com/oauth/authorize? client_id=YOUR_APP_ID&scope=email&redirect_uri=APP_URL

2, When the user returns to your site, log in with $ _GET ['code']

 http://YOUR_URL?code=A_CODE_GENERATED_BY_SERVER

3, you must decode this code through a Facebook request and get access_token.

 https://graph.facebook.com/oauth/access_token? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL& client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE

3 After you have access_token, just run a / me? access_token GET request as often as you need to check that the user is still there.

4, you can save the Facebook ID.

I think this is the fastest way. As far as I know, javascript sdk uses a popup that is blocked in most browsers.

This stream is described in sufficient detail here: http://developers.facebook.com/docs/authentication/

+1
source

Firstly, just remind that you will need to save not only the access_token, but ideally you want to save the custom facebook uid along with the access token. This is because, as a rule, you will need to include the uid along with the access token in your API call.

Secondly, from the Documentation for Facebook

Note. If the application has not requested offline_access permission, the access token is limited in time. The exact access token is also canceled when the user logs out of Facebook. If the application has received offline_access user permission from the user, the access token has no expiration date. However, it becomes invalid whenever the user changes his password.

Third, the goal of having access_token and uid is to make an API call, right? Start from there. Do authentication if only access_token (somehow) becomes invalid. How to check if it is valid or not? Well, you can use cURL ( Link ) or the Proxy library (but you may need to change its lil bit since it was originally written for CI) to make the API call as a check. Example (* sigh using my proxy library) ...

 // Suppose we are try to publish a status from our fb app // $access_token hold the user access_token, which you saved into your database // $uid hold the user facebook uid, which you saved into your database $proxy = new Proxy; // This is equal with perform regular HTTP POST request with cURL $api_call = $proxy->http('post','https://graph.facebook.com/'.$uid.'/feed', array('access_token' => $access_token,'message' => 'foo')); // Now we can validate... // If the API success, it will be returned a post id, with json format // if not, it will be outputing json like... // "{"error":{"type":"OAuthException","message":"Invalid OAuth access token."}}" // so... $result = (array) json_decode($api_call); if(array_key_exists('error', $result)) { // Here you can perform an oAuth authentification, to get fresh access_token and update your database // ... // After it done, process the previous api call with valid access_token $proxy->http('post','https://graph.facebook.com/'.$uid.'/feed', array('access_token' => $access_token,'message' => 'foo')); }
+1
source

The Facebook Connect documentation is pretty limited. In fact, this does not tell you what he is doing, only how to do it. I personally do not use any SDKs. I developed my own framework for my development projects.

Both SDKs, as well as the JavaScript in the tutorial, IMO, are pretty dated.

If you want to stick with one of the FB SDKs, here is my suggestion. Use the JS SDK only if your requests for the Graph API and the like are sent to the PHP server via Ajax. Otherwise, stick with the PHP SDK.

Introduction

Facebook uses oAuth v2. They describe two different flow methods ... Server side and client side. This will be implemented just like any other application that authenticates the oAuth v2 service. They both do the same. The only difference may be that you can use the "code" as request_type to get the authorization code to receive the token in the future.

Authentication

As for FB Connect, then your script should make sure that you have an authentication token or authentication code when authentication is required. If you do not have this, you need to get it. You can use the presence of an authentication code or token as a condition for which the FB button (input or output) is displayed.

Redirect the user to oAuth for authentication. Facebook has its own oAuth implementation related to their conversational API. More on the oAuth dialog box here: http://developers.facebook.com/docs/reference/dialogs/oauth/

You can use an optional status parameter for something like CSRF protection. It saves the value after the process and is sent with a callback as a GET parameter.

Interaction with applications

Basically you are going to write your application in the same way as usual. The differences are as follows:

  • Your user database no longer stores the password, but only the FB UID. Also, according to FB Dev ToS, you really cannot store user information. If you want to save user information, you need to get it from the user. You can fill in this information for them with FB information, you just need to send them.
  • Your registration method will no longer show a message about opening the form. It will be called when the authenticated user does not have a record in the database.

API interaction

If you went with a code instead of a token, you need to request a token by sending the code. This is done using the Graph API. This part is not documented at all, except in their authentication tutorial. http://developers.facebook.com/docs/authentication/

With your access token, no matter how you use it. Now you can request the Graph API, but you want to. This will return a JSON encoded object.

Conclusion

As for the fast and reliable implementation, the PHP SDK does the job. It handles everything I reviewed here, including CSRF. How to learn this, I still have to find decent documentation. Everything is either old or the writer does not know and leaves other lessons.

It’s best to go deep into these libraries and find out how it works for you. Conduct trial and error, experiment.

What I found out was writing my own frameworks. I suggest you do the same. You can extend the SDK classes for Facebook if you want. It is truly limited, but it gives you everything you need. I took my most commonly used API calls and posted them. I now have a very fast and simple end result, which is derived from my library.

+1
source

Source: https://habr.com/ru/post/893499/

More articles:


All Articles