Facebook/twitter "instant" login

**adam1** · May 25th, 2011, 06:35 AM

Hi,

We have a system working with Spring Social and have implemented the "login with facebook" and "login with twitter" buttons. We have received a request to add the facility to perform an "instant" login. The request relates to a hypothetical user who has already linked their account on our system to say Facebook and is currently logged into Facebook but not to our system. I want to know if there is some way to log the user straight into our system as soon as they visit the front page without first requiring them to click on a "login with Facebook" button.

My questions therefore are:

(1) Is it possible to perform such an "instant" login with Spring Social?
(2) If not, is it even theoretically possible with another framework?

Thanks in advance.

Cheers, Adam.

**fedegaule** · Nov 7th, 2011, 10:41 PM

Did you manage to get the instant login?

**adam1** · Nov 8th, 2011, 02:41 AM

No, I never did. I suspect it's not possible but I never found out for sure.

**habuma** · Nov 8th, 2011, 08:41 AM

I see no reason why it couldn't be done (disclaimer: I've not tried it). The way the "Sign In With XXX" functionality is kicked off is with a form submission, so at very least you should be able to...

- Use each platform's respective JS API to determine if the user already has a Twitter/Facebook session in play.
- If there is a session, then have some JavaScript that submits that form automatically
- There'll be a browser redirect, but in the end the user can be returned to the front page.

There are likely other ways to do this (maybe even ways that avoid the browser redirects), but it will take some experimentation to find them. I encourage you to try out the approach I spelled out above and let us know if it works. Or if you find a better way, we'd also be interested in hearing that.

**rickcr** · Nov 8th, 2011, 10:27 AM

I'd do like Craig said, and do this from your initial signin page, this way if they haven't had a previous connection made with facebook they could still login with their normal login credentials. This is where the Social tag that Craig helped me with comes in handy. Something like this you could do on your signin page, which will attempt to automatically sign them if they have a facebook connection...

Code:

<%@ taglib prefix="social" uri="http://localhost/social" %> 

<script type="text/javascript">
	$(document).ready(function() { //using jquery 
		<social:connected provider="facebook">	
			$("#fb_signin_form").submit();
		</social:connected provider="facebook">	
	});
</script>

If you want the tag code just let me know (or it's back a few pages in this forum as well.)

**habuma** · Nov 8th, 2011, 01:38 PM

I like that tag, BTW. If you submit a pull request, I might review it in more depth and merge it into Spring Social. I could do it by copying what's in the previous forum post, but as a pull request you'll get credit for the work.

**chelu** · Nov 9th, 2011, 03:32 AM

Hi,

I just start playing wiht spring social and I use this class for parsing facebook signed request and return a ConnectionData for use with ConnectionFactory.createConnection() method.

May be useful for you.

Code:

/*
 * Copyright 2009-2011 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package info.joseluismartin.facebook;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

import net.sf.json.JSONObject;

import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.social.connect.ConnectionData;

/**
 * Facebook signed_request parser.
 * 
 * @author Jose Luis Martin
 */
public class SignedRequestParser {
	
	public static final String SIGN_ALGORITHM = "HMACSHA256";
	private static final Log log = LogFactory.getLog(SignedRequestParser.class);
	
	private String secret;
	
	public ConnectionData parse(String signedRequest, String secret) {
		
		ConnectionData data = null;
		
		if (signedRequest == null)
			return null;
		try {
			String[] requestArray = signedRequest.split("\\.");
			if (requestArray.length == 2 && verifySign(requestArray[0], requestArray[1])) {
				String payload = requestArray[1];
				payload = payload.replace("-_", "+\\");
				String decoded = new String(new Base64(true).decode(payload));
				JSONObject json = JSONObject.fromObject(decoded);
				String providerUserId = json.getString("user_id");
				String accessToken = json.getString("oauth_token");
				data = new ConnectionData("facebook", providerUserId, "", "", null, accessToken, 
						secret, null, null);
			}
		}
		catch(Exception e) {
			log.error(e);
		}
		
		return data;
	}

	/**
	 * Verify payload signature
	 */
	private boolean verifySign(String sign, String payload) {
		SecretKeySpec sks = new SecretKeySpec(secret.getBytes(), SIGN_ALGORITHM);
		Mac mac;
		try {
			mac = Mac.getInstance(SIGN_ALGORITHM);
			mac.init(sks);
			byte[] my = mac.doFinal(payload.getBytes());
			byte[] their = new Base64(true).decode(sign);
			
			return Arrays.equals(my, their);
			
		} catch (NoSuchAlgorithmException nsae) {
			log.error(nsae);
			return false;
		} catch (InvalidKeyException ike) {
			log.error(ike);
			return false;
		}
	}
	
	/**
	 * @return the secret
	 */
	public String getSecret() {
		return secret;
	}

	/**
	 * @param secret the secret to set
	 */
	public void setSecret(String secret) {
		this.secret = secret;
	}
}

Cheers

**habuma** · Nov 9th, 2011, 08:03 AM

Thanks for the signed_request code. I had something similar in mind and planned so that Spring Social could properly work within a Facebook Canvas app. (The canvas example we have now works, but doesn't use the signed_request as it should.) https://jira.springsource.org/browse/SOCIALFB-23 talks about enabling this within the web argument resolver, but I was also thinking about it in a way that's more akin to how the signin controller works. It's definitely on the todo list.

**mschipperheyn** · Nov 11th, 2011, 01:54 AM

Tlking about TODO lists. What is the roadmap for Spring Social? For me the LinkedIn library is the biggest gap and I hope to be able to spend time on it but right now, I don't have it. And then there is auto-reaquire for expired tokens.

**rickcr** · Nov 11th, 2011, 02:03 AM

Originally Posted by mschipperheyn

And then there is auto-reaquire for expired tokens.

hmmm can you explain how the current token behavior works? and possible issues? I haven't looked at all into it. Wouldn't want any surprises a few months down the road based on some token issues? (probably best as a new thread if you feel like replying... hate to hijack this one.) Thanks

Thread: Facebook/twitter "instant" login

Thread Tools

Display

Facebook/twitter "instant" login

Tags for this Thread

Posting Permissions