Using facebook C# SDK for a native app to be used in kiosk mode.
Scenario:
User logs in to facebook.
App request permission.
User deny permission.
Unable to programatically log user out of facebook since no access token has been granted.
(see: https://developers.facebook.com/docs/authentication/)
What is the best approach in the above scenario where the next user of the app should start from scratch?
Related
I have developed an application (asp.net web application) that authenticates using azure ad and asp.net owin. It is a multi-tenant app, so I have registered my app in azure ad as a multi-tenant app. That means that everyone with a microsoft work/school account can sign in to my application. That is fine, but I need to check if the user signing in has a valid license for using my application. How can I do that? Can I interupt the owin login process somehow and check for a valid license, or how is this normally done?
What is normally done is to separate AUTHENTICATION (who is the user) from AUTHORIZATION (what can the user do).
I.e. you do NOT interfere with the authentication - the user comes and sends a token. Your app then reacts by redirecting the user to a "create account" page when he is new. That creates in your app the db entry for this user. You can also send him to a "sorry, you have no rights on this application" page.
This allows you to use the same authentication for multiple applications with separate rights and fully separates authentication and authorization.
I'm developing a web application with C # and netcore, which includes an API module.
Then there is a windows WPF application (programmed by me) that can connect to this API.
So when I log in into my WPF application I check the credentials over the API's call and grant access to the user. In this WPF Application is a Button that will forward you to the Web version.
Is it now possible to hand over the generated bearer token from WPF App to my login in the web to grant the user access without using again his credentials?
I expect that the user just need to use his credentials in WPF App and is logged in in the browser too.
Thank you in advance and have a nice day.
I guess you store the token on the Web version and if you open it in the browser it will already be logged in and redirected to a specific page. In case the token cannot be retrieved or it is expired, then you will stay on the login page.
I would suggest you to pass the token to the login page as parameter in the URL from your WPF app. So at this point after you check if you already have a token stored, you can also check if you have any parameter passed, store that one and redirect to the page you want.
We have set up an application in AAD.
The application has been granted access to read/write all messages/mails and "read users profiles" and a global admin have pushed the "Grant permissions" button in the portal.
Still We get Access denied error when trying to access
https://graph.microsoft.com/v1.0/users/{myId}/MailFolders/Inbox/ChildFolders
for my userid (myId). The URL works fine in graph explorer when I'm logged in as my own user.
Also, decoding the JWT at jwt.io shows the application id, name and "aud" (https://graph.microsoft.com) - but no roles/scopes.
What have we done wrong?
Ok so I submitted a ticket to Microsoft Support. I haven't received any response yet, but now it all works just fine. I have no idea why, but when I was submitting the ticket this morning a warning was shown that an outage in Azure AD was recently fixed so maybe that is why things didn't work yesterday.
These are delegated permissions... so you will need a user with the same rights and use the credentials of the user in your authorization flow for your app.
The effective rights are the intersection of the user rights and and the rigths of the app.
"Effective permissions are the permissions that your app will have when making requests to an API.
For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (through consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user."
The user also needs permission to use the app in AAD.
If it is not a delegated permission, maybe there is the need for some global admin to grant the consent for all users. "Topic Admins" can only "request" the permissions for the app and the global admin can consent for all users.
I have a facebook app and made it public that is used by my .net web application, so there are users who login to my web application via facebook app through JS SDK.
In APP authorization for my web app i have explicitly asked permission of friends with public profile.
I want to create a console application that gets friends of the authorized users and i know app will only provide those friends that have also authorized the app.
So from my console app when i try to get friends of a user with facebookId that has authorized my app but is not friend of Web APP Creator the result is empty.
Is there any way to get required info?
So i figure what i was doing wrong, I needed to store the useraccesstoken for users who are using my app and from there i can get information about them if they are offline and app can control the Life of access token short or long lived.
Thanks for responding though.
Using this call directly in the browser i am able to invite a user to a Yammer group:
GET https://www.yammer.com/insert_yammer_network_name/group_settings/process_additions/isert_groupID.json?id=isert_groupID&invites[ids][]=&invites[emails][addresses]=insert_email#domain.com&auto_add_invitees=true&authenticity_token=insert_oauth-token
I get the following response:
{"status":"ok"}
However it only workes when i am logged in with the admin user in the same browser.
When i try doing the same thing from a Console application I get 406.
EDIT: Other calls work perfectly with the token i have, and without the need to be logged in with the admin user. I believe my browser stores admin user credentials as cookies and then allow the call. The thing is, that my call needs the admin to verify that users can have access to that particular group.
It's called OAuth authentication, take a look at the Yammer .NET SDK part OAuth In .NET SDK