Login via Facebook (Oath2)

The recommended method of customizing your AppGini-generated application is through hooks. But sometimes you might need to add functionality not accessible through hooks. You can discuss this here.
Post Reply
Phil Massyn
Posts: 11
Joined: 2018-01-04 18:36

Login via Facebook (Oath2)

Post by Phil Massyn » 2018-05-24 12:44

Hi everyone,

I'm working on an OATH2 plugin that will allow users to authenticate via Facebook instead of relying on the local database. It is pretty much ready to go, and I'll be launching it soon, but I'd like to do a bit more testing.

I'd like to ask your help to check it out, and see if you spot any issues. Of course it works with my profile, but it would be good to get some feedback from the field.

Have a look at https://phonebook.massyn.net , which should really be a very simple phonebook application limited to your own records, and let me know how you find the "Logon with Facebook" experience.

Moh Youba
Veteran Member
Posts: 228
Joined: 2017-03-12 09:31

Re: Login via Facebook (Oath2)

Post by Moh Youba » 2018-05-25 16:28

Hello

Great idea. I have a try but after confirm with Facebook it redirect me to a blank page with the word "Array" on the top left corner !!!

Regards,

User avatar
baudwalker
Veteran Member
Posts: 188
Joined: 2015-02-03 08:08
Location: Bellingen NSW Australia

Re: Login via Facebook (Oath2)

Post by baudwalker » 2018-05-26 00:35

I am a born sceptic. I would not use Phil's Facebook login.

Phil Massyn
Posts: 11
Joined: 2018-01-04 18:36

Re: Login via Facebook (Oath2)

Post by Phil Massyn » 2018-05-26 01:02

baudwalker wrote:
2018-05-26 00:35
I am a born sceptic. I would not use Phil's Facebook login.
Haha! Ok, keep using the internal MD5 hashed password then...

Phil Massyn
Posts: 11
Joined: 2018-01-04 18:36

Re: Login via Facebook (Oath2)

Post by Phil Massyn » 2018-05-26 02:35

Moh Youba wrote:
2018-05-25 16:28
Hello

Great idea. I have a try but after confirm with Facebook it redirect me to a blank page with the word "Array" on the top left corner !!!

Regards,
Issue fixed. Thanks for pointing it out. The reason you saw "Array" is because something went wrong with the OATH2 authentication to facebook. Maybe you replayed the API call, or maybe you did not authorise the app. Regardless, the "Array" was a bug on my side that did not handle the JSON response from Facebook correctly. Now if there's an error, it will tell you what the error is.

It is also indicated that during development, Facebook was happily returning my own email address, but once the app was published, the email address was no longer provided. Now I'm using the internal facebook ID as the memberID in the database.

If I get a few more tests, I'll be happy to share the plugin with whoever would like to use it.

User avatar
baudwalker
Veteran Member
Posts: 188
Joined: 2015-02-03 08:08
Location: Bellingen NSW Australia

Re: Login via Facebook (Oath2)

Post by baudwalker » 2018-05-26 12:17

My main concern is using the same login for multiple secure sessions. Loose control of your Facebook account and you could loose everything.

Moh Youba
Veteran Member
Posts: 228
Joined: 2017-03-12 09:31

Re: Login via Facebook (Oath2)

Post by Moh Youba » 2018-05-26 21:01

Hi Phil, working fine now.
I am also agree with you "baudwalker",

Phil Massyn
Posts: 11
Joined: 2018-01-04 18:36

Re: Login via Facebook (Oath2)

Post by Phil Massyn » 2018-05-26 23:28

Moh Youba wrote:
2018-05-26 21:01
Hi Phil, working fine now.
I am also agree with you "baudwalker",
It's up to you how you implement the security on your site. You will still retain your normal admin account. The plug in is not a replacement of your authentication, it is in addition, meaning that you can still use the admin account, or the local password if you so choose, but the option is there to allow your users to authenticate via Facebook, thus releaving you of the obligation to store the passwords securely.

It also comes down to your risk profile. You may be concerned about losing access to the Facebook account, but are you not concerned about how AppGini stores the passwords (like I've mentioned before - MD5, and that's really not a good thing!). At least by using centralized authentication (be it Facebook OATH2, ADFS, or any other federation service), it is a lot easier to manage a single account, than a bunch of accounts across separate different systems. A single account getting attacked is a lot easier to protect with multi-factor authentication than 10 different accounts across 10 different systems.

It is up to your risk profile and your risk appetite. I'm providing it as a service to the community. How you implement it is entirely up to you.

The plugin is released, and can be downloaded from Github. https://github.com/massyn/appgini-tools ... /README.md

Moh Youba
Veteran Member
Posts: 228
Joined: 2017-03-12 09:31

Re: Login via Facebook (Oath2)

Post by Moh Youba » 2018-05-27 13:19

Thanks Phil

User avatar
jmcgov
Veteran Member
Posts: 79
Joined: 2018-12-19 01:31
Location: Northern Ireland

Re: Login via Facebook (Oath2)

Post by jmcgov » 2019-10-17 23:45

Hi Phil, is your FB login in use anywhere? Did you also create a Google version? TIA James

Post Reply