Posted by halkeye on June 11, 2007 at 10:34pm
Noticed that the other one .. well doesn't support the new platform in the slightest, therefore doesn't work.
Whipped up a new version using the standard library.
I have yet to decide if i'm going to try and push to get this to replace the current code, or setup a new module, but in the mean time, i have a early release up @ http://www.kodekoan.com/files/facebook_auth.tgz which someone might be interested in.
Added its own new project. http://drupal.org/project/facebook_auth
Comments
Test setup too
Also have a quick test setup up @ http://facebook.oinkpig.halkeye.net/
all non login related things have been disabled though.
Awesome
Yeah, we should take over the old one and get some co-maintainers like you and James in there. This module is clearly facebook_auth, while the other one is facebook or facebook_api
So you are suggesting make a
So you are suggesting make a new project called facebook_auth?
I renamed it (internally) because this one was designed to just do one thing, and from the rest of the discussions there are plans to support other sections.
Collection of modules, one project
No, a collection of modules under the (single) Facebook project. So, your stuff would be facebook_auth, and the stuff that James Andres checked in would be the main Facebook API module.
I just emailed the current maintainer.
Just wanted to say...
...again, that I got this working and it's great. Nice work, Gavin.
See http://apps.facebook.com/bmannconsulting (not so exciting, it's just the website inside an iframe) or go to http://bmannconsulting.com directly and click on the Facebook icon next to user login block in order to login.
Exactly what I'm looking for!
Hey Gavin & Boris,
What you guys have, for example, on the bmannconsulting.com site is pretty much EXACTLY what I want for my site -- i.e. if members are already on Facebook, simply clicking the application appends all their Facebook user profile info into my site. Is there any way that this info could include their main photo as well? ...
Staying abreast of what you guys are doing ... great stuff! :) ... I need to learn a bit more of the technical mumbo-jumbo and techniques, but I'll just pay attention in the meantime ...
-.-
Looking at Boris's Site brought up a question about this module and others like it (OpenID). Both modules are on the site, and both try to have me create a new account. I only need one account for a particular site.
Is there a way to tie a Facebook or OpenID Login to an already existing user? I'm thinking down the line for when we can make use of additional abilities of the Facebook API, and other external API's. Isn't there some SoC work to play nicer with Google and it's GData API? I know there's already code for YouTube, Flickr, and Upcoming.org.
User's aren't going to want to register on a site multiple times to make use of multiple services they are already signed up for. Plus, doesn't user.module require a unique email address.
Speaking of email address, if I want to post a comment on someone's site, why do I have to provide an email address? The fact that I used my Facebook account/OpenID should be enough to have me not be Anonymous.
It really wouldn't be that
It really wouldn't be that hard to tie a user to a facebook authentication, its just an entry in the automap table (setting $user->auth_facebook_auth pretty much)
And apparently user only requires a unique email upon registration.
A User can be created with next to know issues with no email attached.
Some comments
Yes. OpenID already works this way. You can either a) create an account with OpenID and add additional OpenID logins to the same account or b) go into your account created the "normal" way and add an OpenID.
So, you can actually create an account with Facebook, and then add OpenIDs to it.
@Gavin: best practices with this identity stuff is to key on email. So, if there is an existing account with the same email, tie into that.
Gavin chose to have people end up on user/XXX/edit -- but you can choose to not fill out the form and your account will still be active. OpenID also does not require an email address....but as soon as you edit user/XXX/edit and want to submit changes, email is required.
I will try to add that
I will try to add that feature as soon as i get some dev time.
Unfortunately facebook doesn't provide an email address at all, so you can't pre-fill it in or link to other accounts using the same thing.
But I'm thinking, you could easily link your facebook account to your user by just following the login link while already logged in.
Check out OpenID
You could have a "link this account to Facebook" on the user account page, perhaps. It's kind of an edge feature, though...the people that know enough to do it are really just going to be experimenting with this.
I'm not really sure how to
I'm not really sure how to handle this as a UI. Put just a link on the bottom of the /view page?
Either way, you can now link a facebook to your account by being logged in and going to /facebook.
I'm thinking it might be better to a form on initial click to make sure they want to create a new account (vs link an existing account) and force them to provide an email address.
security and the (non-iframed) canvas
I like the way a user can authenticate using only their Facebook info, but saving users to the Drupal db with blank passwords seems like a major security flaw.
Also, I'm looking to create a Drupal-based site which forces users to add the application and view it within the Facebook canvas... using the $facebook->require_add() and $facebook->require_frame()
I noticed that although I was already authenticate inside Facebook, this page requires me to re-authenticate...
http://apps.facebook.com/bmannconsulting
This is due to the iframe, but it'd be nice to use a special theme to create FBML-based canvas pages.
do you have a better idea
do you have a better idea for the password? Some random string?
Right now i checked, the login forums do not accept blank as a password.
session key?
What about using the Facebook user's session_key (assuming they have added your app). This would allow you to write to their profile at any time (unless they remove your app of course).
I did switch the code to
I did switch the code to user_password (as suggested below).
Would session ID be any more secure than user_password?
Specially if i setup a config setting to allow the changing of the generated password length.
I would also assume that thier session ID changes per login and stuff, so really storing it as the password for later use (i'd think storing it as a different parameter would be better) isn't exactly worth it.
user_password
http://api.drupal.org/api/5/function/user_password is what you want.
facebook module collection
As Boris said, we need "a collection of modules under the (single) Facebook project."
There are so many more things beyond authentication, although I agree that is the most critical... We will need a way to store the user's session key in a database if they have the app installed so that we can write to profiles and feed at any time. Of course, having the profile writing, feeding, and a scheduler (or hook into actions) would be ideal... and views to be able to relate users within the provided friends array.
No I'm not saying we
No I'm not saying we shouldn't store it, i'm saying that password is a bad field for it.
More importantly, sessions can change after a timeout, so storing them in the user object isn't the best idea.
I'd suggest using the _SESSION var instead.
+1
Just wanted to say that I've finally had time to test it. It works great. Thanks.
Another usecase
Another usecase, that I'm having to deal with personally, is the problem of synchronizing a group of Facebook users with a Drupal installation.
I'm not sure if it makes sense to put it into the facebook_auth.module, but I'll throw it out there anyway. Here's my problem:
UI doesn't matter, I want this all happening programmatically in the back end (I can't think up a scenario where a non-programmer would be needing to do this).
Thoughts?
James.
Helping out
Hey guys,
We've been doing some work (with some help from Moshe) on a Facebook auth module. Sorry for building in the dark, but it's been a crazy few weeks. We'd like to contribute this back and merge with the facebook_auth module if there is some value there. After this weekend things should calm down and we'll be able to clean up some code to get something solid in place.
I just made a post on d.o related to one bug I just caught (Boris saw it first hand!) at http://drupal.org/node/154191.
Our app is at http://apps.facebook.com/mychipin if you wanna check it out.
Talk soon,
-Rob
I have to say, i went to
I have to say, i went to chipin.com and didn't actually see anything resembling facebook authentication?
are you saying to did some? or is it more a drupal wrapper around the facebook api?
App link
Check out the app link I referenced above. We are redoing ChipIn.com and won't be provided Facebook auth into the current site as that is not Drupal. The new site will be Drupal and will have SSO. Our Facebook app, however, is built on Drupal 5 and uses auto-login within the Facebook Platform wrapper. The relaunch of ChipIn.com on Drupal will use the same code base as the FB app is using now, just with some more features.
A possible solution?
Hello everyone, I just found this thread. I think the key might be having a facebook_auth table that stores the Facebook uid along with whatever the password for that account may be. If the user has only accessed the Drupal installation through Facebook canvas let the password be a random value. When the user decides they want to have a special password for accessing the site, the random password in facebook_auth can be replaced with this. If the user already has an account, have a link to associate accounts. The point is that Facebook canvas users should never have to enter a password, authentication through their Facebook user id is enough.
Of course this is assuming we're allowed to store uid to identify users. Check out http://developer.facebook.com/documentation.php?v=1.0&method=users.getLo...
Looks like user id is cool. Storable values listed in Misc
http://developer.facebook.com/documentation.php?v=1.0&doc=misc
Those are my two cents, looks like robroy might be figuring this out.