Facebook connection detection

[habuma]

Unfortunately, Michael's idea (although on the surface a solid one) doesn't work. Even with an established authorization, the Location header is empty and it appears that FB uses JavaScript code to do the redirect. (I say it "appears" because the body of the response is rich with JS and at least some portion of that JS code checks for a cookie and does a redirect if it *is* found, but it's a bit obfuscated and I've not bothered digging any deeper into it.) I did, however, try a diff between the response bodies for both authorized and non-authorized and found that they were essentially identical (only a few timestamp values seemed to differ).

That said, it may be possible to *detect* an existing authorization by checking for the existence of those cookies. Actually getting the info out of them to create a connection may prove more difficult, however. At one time it was fairly easy to do, but then FB changed their cookie structure and I can't say for sure what's in there now. Sounds like I need to do another investigation into the contents of the cookie. I can say that if the access token is available in the cookie then you should be able to get at it using @CookieValue (but that would require you to write a Spring MVC controller to receive it).

[michaellavelle]

I was initially thinking that RestTemplate could be used for this call, but after some more thought I'm not sure if this would work.

If the user had authorized the application via client-side Javascript it would be their browser session which retained the authorization (via cookies?), so for the RestTemplate approach to work the Facebook cookies or some session id would need to be sent via RestTemplate.

An alternative could be to hit the authorization endpoint using Javascript using AJAX or some other mechanism and inspect the response for the location header - not sure if there are any restrictions on doing this? Or even better, as Craig suggested, if the Facebook JS client-side library supported obtaining the current authorization code, you could then pass this over to the server-side controller which could exchange for an access token.

[michaellavelle]

Looks like my last reply overlapped with Craig's last reply. After further reflection, I don't think an AJAX approach can't be used because response headers can't be accessed, but I think I have found a (low tech) way of detecting a connection which was instigated by a spring-social app.

A simple hidden frame embedded in a page, with src="https://graph.facebook.com/oauth/authorize?client_id=...&response_type=code&redirec t_uri=<your_redirect_url>" will result in a callback to your_redirect_url with a code parameter if the user is already logged in. If you have a controller at <your_redirect_url> which takes this code, exchanges for an access token and creates your connection, I think this may work.

In fact, this is exactly what the ProviderSignInController does - if you register a ConnectionSignUp instance with your UsersConnectionRepository and register a ProviderSignInController with your application, you could get implicit sign up by having a hidden frame with "https://graph.facebook.com/oauth/authorize?client_id=...&response_type=code&redirec t_uri=http://localhost:8080/signin/facebook>" for example.

As I mentioned above - this seems to work when facebook authorization has been generated using the spring-social authorisation flow - what I don't know is whether this approach would work if the authorization was instigated by Javascript

[habuma]

Good point on the cookies...I clearly hadn't had enough of my morning caffeine when first thinking about it.

That's a nice tip...and I suspect it would work. But it is a bit kludgy/hackish. A cleaner approach, I think, would be to let some JS determine the authorization status and send the details of the authorization (access token, et al) to the server-side for the purposes of establishing a connection in Spring Social. I'm reasonably certain that will work, although it would require some JS on the client-side and some custom (e.g., not currently implemented in Spring Social) server-side work to receive the authorization details.

As long as the client-side code and the server-side code are using the same App ID when working with FB, the authorization-stuff should work fine between both sides because it's the same authorization. (e.g, same App ID, same authorization.)

[fullydead]

The trick of using js to pass access token works

[veronicazora]

For Facebook Connect to work you need to Setup Application on Facebook and obtain its App ID/API Key and Application Secret.Use your store name as application name and read and accept terms of service. The Facebook Connect Wizard is just what it sounds like – a way to incorporate Facebook Connect into your website in three steps. Just enter in your URL, upload a file to your server so that Facebook Connect can talk to your site.