You are here: Home / Archives for Facebook Application Development

Facebook offline_access is offline now

Okk, “moment de verite”, Facebook offline_access extended permission has been on 5th December 2012. Why? I don’t know but if I ask myself, I think its mainly because of security or abusive use.

So, what happens to those who are currently using Facebook offline_access extended permission?

<h2>How is it now?</h2>
Though there is no longer offline access, there is the capability to extend short lived session. Facebook automatically renews short lived session I think every 1 to 2 hours but if you want to use the access token for longer period, ensure that you renew it. So, yeah, for now, to confirm, long-lived session are for 60 days while short-lived one are for 1-2 hours.

for those who were not using the extended permission offline_access, you have no changes to make to your application. But application using offline_access will have to add some chunks of code for new users. If you were using offline_access extended permission, this will no longer be asked in the application login dialog box when the user uses your application. For new users, you’ll get a short-lived token which you will use to extend to get a long-lived one. Now, if you try to extend a token which already a long-lived one, you may get the same token or a token with a longer expiration time.

To get a long-lived session, just make a call on this URL with the required parameters replaced,

https://graph.facebook.com/oauth/access_token?

client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN

So, it make sense for you to have a short-lived token before submitting the above request

Further information goes here:)
1. http://developers.facebook.com/roadmap/offline-access-removal/
2. http://developers.facebook.com/docs/howtos/login/extending-tokens/
3. http://stackoverflow.com/questions/10487049/facebook-long-lived-and-short-lived-access-tokens-and-their-expirancy-after-off

December 22, 2012 By Leave a Comment
Filed Under: Computing Tagged With: ,

Facebook Ajax Connect

Couple of months ago, I was in an interesting problem. I had to find a good solution because it was a LOGIN procedure. I needed to perform a facebook ajax connect. Users would use a Facebook Ajax connect to login into a web application without a page reload.

A logical idea of Facebook Ajax Connect:
  • User will login via Facebook
  • Send Ajax Request to inform the server of the user’s login
  • Record user’s presence on the server

So, now we are in a need to tell the server that we have logged in. How to acheive this?

Facebook Ajax Connect considerations:
  • what will the request to the server contain?
  • How will the server be sure about your identity?
  • How will the server know that this user has a proper facebook account?
  • How to remember a user as an authenticated client on the server?

Remember, simply sending the user Facebook Id is not enough. Opening Google Chrome, seeing the request and learning how the request goes can open holes. The query parameters can learn and false request can be sent.

Google Chrome Network Status

A solution for Facebook Ajax Connect:
  • User will login via Facebook by clicking on “Facebook Connect”
  • Retrieve the access token and facebook user Id using JavaScript SDK
  • Send a XMLHttpRequest to server
  • Use a technique on server-side to make server aware that a particular user has been authenticated

So, now, you know that along with the Facebook Id, you need to an access token. The access token is unique and obtained only by a proper facebook user. The access token is used to verify the Facebook Id on the server

To sum up, this is how Facebook Ajax Connect works:

1. Get the Facebook Id and the access token of the user

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

FB.getLoginStatus(function(response) {
if (response.status === 'connected') {
// the user is logged in and has authenticated your
// app, and response.authResponse supplies
// the user's ID, a valid access token, a signed
// request, and the time the access token
// and signed request each expire
var uid = response.authResponse.userID;
var accessToken = response.authResponse.accessToken;
} else if (response.status === 'not_authorized') {
// the user is logged in to Facebook,
// but has not authenticated your app
} else {
// the user isn't logged in to Facebook.
}
});

Code above obtained here

2. Make an XMLHttpRequest and send the details to server (using jQuery)

1
2
3
4

$.post("loginURL", { id: "idGoesHere", accesstoken: "tokenGoesHere" },
function(data) {
/*process the response here */
});

3. Now suppose the loginURL ultimately fall on the function below:

1
2
3
4
5
6
7
8
9
10
11
12
13

public function authenticateFacebookUser($FacebookId,$token)
{
$userDetails=json_decode(file_get_contents("https://graph.facebook.com/me?access_token=".$token));
if ($userDetails->id==$FacebookId) {
/* here, you are sure the client is a proper facebook user
the user can be an existing user or new user
so, use u're ORM or sql to query the database and perform the
procedures needed
*/
return 1;
}
return 0;
}

U got a better idea, please share it, :)

July 31, 2012 By Leave a Comment
Filed Under: Computing Tagged With: , , ,