3

Is there a way to use facebook authentication (the OAuth 2.0) without redirecting?

I am not using the facebook login button, so I am supposed to redirect to https://www.facebook.com/dialog/oauth? client_id=YOUR_APP_ID&redirect_uri=YOUR_URL, but I don't want to redirect my user outside of my page. Is there a way to open this url in a popup window (how do I do that btw?), and then catch the sessionChange event just like when working with the normal facebook login button?
I am using jQuery and Pyramid.

Thanks!

Raiders
  • 113
  • 1
  • 2
  • 7

2 Answers2

2

I made an application for a client a couple weeks ago with that behavior just using the Facebook JS SDK

FB.login(function(response){
        if(response.session){
        var user_id = response.session.uid,
            access_token = response.session.access_token;
        }
    }
);

You can the send the access_token to your server with ajax if you want. Just be careful if you're using too much ajax, the session will expire if you don't make calls to FB.getLoginStatus() every so often.

Paul
  • 139,544
  • 27
  • 275
  • 264
  • It's done with a popup window. Which means you can only call it from a user action like a click event, or the browser will probably block it. – Paul Jul 21 '11 at 06:15
  • thanks! I have a Pyramid app that uses facebook auth. I understand there are two types of facebook user auth - client and server side. I am currently only using the client-side, since accessing the user's data in js only is ok for me. I was thinking about security and I'm not sure if this is strong. My site contains a form that is submitted by a logged in user. Since I have no way to do a server-side check for the login status, anyone could technically submit the form, even without being logged in - by simply manipulating the js, correct? Is server-side authentication the only way to go here? – Raiders Jul 21 '11 at 06:23
  • 2
    @Raiders It would be more secure to server side checking as well. I'm not sure how you would do this in Pyramid, but basically I use ajax after the `FB.login()` and send the user_id and access_token to the server. Then I use cURL on my server-side to send an request to `https://graph.facebook.com/me?access_token='access_token_from_ajax'` and verify that the returned user_id matches my user_id I got from ajax. – Paul Jul 21 '11 at 06:34
2

You can check if the user has a valid access token, in other words, was logged on to your site at some point. FB gives you the session data on the front end so get it like this:

    FB.getLoginStatus(function(response){
        //send the response to the back end in a json string
    });

Then validate it on the back end using a modified version of the legacy signature validation. It seams to work. Please let me know if I'm missing something. It only tells you that the user id, access token match for your site. No curl calls needed. It doesn't tell you if the session is actually currently valid though so don't rely on it for your banking system or anything. 

function validateFB_sessionObj($sessionObj){//pass me the session data object
   $sessionObj = $sessionObj->session;
   global $fb;//pull in the secret fb keys
   if (!is_object($sessionObj) || !isset($sessionObj->uid) || !isset($sessionObj->access_token) || !isset($sessionObj->sig)){
//       warning("facebook session object is lacking something", $sessionObj);
       return false;
   }
   $expectedSig = generateSig($sessionObj, $secret);
   if ($sessionObj->sig = $expectedSig){
     //  status("fb signature looks good");
       return true;
   } else {
    //   warning("facebook signature looks wrong", $sessionObj);
       return false;
   }
}

function generateSig($params, $secret){
   $string = $params->access_token . $params->uid . $secret;
   return md5($string);
}
zstew
  • 1,195
  • 8
  • 11