Facebook Authentication Workflow - Overly Complicated?

Question

I'm trying to build a canvas iframe application for Facebook. The app needs to do a couple of things:

1. Within Facebook display a leaderboard comparing you to your friends
2. Post messages to your wall

Facebook recommend building all new apps as iframe apps, hence using this API. I've downloaded the PHP SDK and installed the example as my app.

I'm confused as to why the example.php presents a login button to a user - isn't the idea that the current user is already logged into Facebook?

My current solution redirects the user to http://graph.facebook.com/oauth/authorize for authorisation, then grabs the OAuth token (for posting messages later) and heads back to an application page within the Facebook canvas.

Is this really the only way to get the current Facebook user associated with my app, and to get permissions for posting messages later?

Answer 1

It's helpful to understand that the getLoginUrl() and getLogoutUrl() methods of the new SDK are references to the URLs required for the user to grant or remove the specified permissions - not to actually log in or out of anything in the traditional sense.

Still, the terminology somewhat fits since logging in or out of a site indicates a change in permissions.

Look at this relevant post about javascript authentication.

Answer 2

You can customize the text that shows up for the button with the JS SDK (which is what I would highly recommend using if you're just getting started with a Canvas application):

<fb:login-button size="medium">Authorize MyCoolApp</fb:login-button>

For example: http://apps.facebook.com/fbrelll/xfbml/fb:login-button.

The OAuth approach you mentioned will also work just fine.

Answer 3

If you want to get the current logged in user on the server side, the best way I've found to do this is to try to make an API call:

try {
    $response = $facebook->api('/me');
}
catch (FacebookApiException $e) {
    //User not logged in
}

If the call is successful you now have access to the logged in user id, access token, name, and some other basic stuff (ex. $facebook->getUser() or $facebook->getSession()). Otherwise if you catch a FacebookApiException, you know the user is not logged in and will need to redirect the user to get an access token. The simplest way is just redirect to the url returned by $facebook->getLoginUrl() (http://github.com/facebook/php-sdk/blob/master/src/facebook.php line 322) which you can pass in required permissions:

$facebook->getLoginUrl(
    array('req_params' => 'email,publish_stream', 
          'next' => 'http://www.redirct-upon-login.com', 
          'cancel' => 'http://www.redirect-if-user-clicks-cancel'));

You can basically do the same thing in Javascript (which I prefer since there's a popup dialog/window instead of a redirect):

FB.login(function(response) {
    if (response.session) {
        if (response.perms.indexOf('publish_stream') != -1) {
            //User has logged in and given us publish_stream permissions
        );
        else {
            //User has logged in but not given us publish_stream        
        }
    }
    else {
    //User is not logged in
}, {perms:'offline_access,publish_stream'});

To answer your other question on the example.php, it looks like the login button should only be shown if no user is logged in. Otherwise, it shows a logout button.

With regards to redirects, that's basically how OAuth need to work if it is to serve the purpose of securely allowing a third party to take actions on a user's behalf (your app posting on the user's wall for example). Facebook needs the user to approve your 3rd party app to take actions so it needs the user to prove his/her identity to give this okay (otherwise you could just impersonate the user). Facebook needs to be the one asking for this okay too, not your app (hence the redirect to Facebook's site) because it would not be very secure at all if your app could just speak for the user. It is a pain though I will agree and Facebook's documentation does not help this in the slightest.