0

Laravel Socialite is using OAuth 2.0. It is ugly for facebook. I don't like idea of sending users to facebook page and getting them back, when we can use pop-up.

So, my plan was using standard Facebook popup from javascript api.

fist - using Basic Setup to get javascript library

second - getting login dialog to work.

It works and I get userID and accessToken.

Now problems starts

accessToken - is ageing and I cannot save it in database for later use as a password.

So there is an alternative to saving accessToken - I can use another facebook api know as graph api to get user by token, if my server made an api request directly to facebook like so

https://graph.facebook.com/me?access_token=...

I'd get a user_id like so

{ "name": "Bob Marley", "id": "111111" }

and I can be sure about this identity, because I just checked the token with facebook server directly. It sounds like ideal world.

However, there are 2 things that makes me nervous:

1) Have I really combined 2 different api, or is it a standard approach?

2) How did I manage to have my user authenticated without using facebook app secret? Where is a catch?

Yevgeniy Afanasyev
  • 37,872
  • 26
  • 173
  • 191
  • if its ugly u are free to do it with a modal pop up no one is stoping you from doing it – Leo Sep 14 '18 at 08:47
  • Ok, you are right. I changed the question. OAuth 2.0 is ugly, not Laravel Socialite. Please help help me with my problem. – Yevgeniy Afanasyev Sep 14 '18 at 08:51
  • oAuth 2 is one of the best thing that happened to web services, you are making your app expensive with multiple calls towards external services. Use facebook api create an app authorize login and use the app to authenticate a user as simple as that, pop up dialog login user redirect auth and done. – Leo Sep 14 '18 at 08:57
  • Sorry, I don't see simplicity. Please correct me if I'm wrong. You want me to make an Iframe in a popup dialog sending user to facebook page and returning to my callback, right? Then I would need to tell the main window from iframe the response to close the popup? I don't see elegance in using Iframes in popups and sending messages from Iframe to the parent. – Yevgeniy Afanasyev Sep 14 '18 at 09:12

1 Answers1

1

You need to use something like hellojs.

Hellojs allows you to open a popup for user to sign in using Facebook/Google/..etc. From this you can get access_token. To get this access token you only need App ID so you don't share the app secret on the client side

Then you send the access_token to your controller and get the user info with another request from the server ( this is where laraval socialite uses app secret)

$user = Socialite::driver('facebook')->userFromToken($access_token);

Hope it makes sense.

zjbarg
  • 680
  • 3
  • 16
  • Thanks. The hello js is a good idea. And a big thanks for the idea to look through a source code of Socialite to find the right way of sending api requests. – Yevgeniy Afanasyev Sep 15 '18 at 00:31
  • You are right, and I was right, we both are right. Hurray! `Socialite` function `userFromToken` is using `facebook graph api`. This is a Socialite code for facebook driver `$meUrl = $this->graphUrl.'/'.$this->version.'/me?access_token='.$token.'&fields='.implode(',', $this->fields);` – Yevgeniy Afanasyev Sep 15 '18 at 01:39
  • And there is no need to have facebook-app-secret-code for facebook authentication. – Yevgeniy Afanasyev Sep 15 '18 at 01:43
  • Glad I was of help. If you would accept my answer you would really help my reputation. I am just starting to post on stackoverflow! Thx – zjbarg Sep 16 '18 at 14:38