I am upgrading the Facebook sdk from 3.x to 4.x and the Facebook docs make it clear that read permissions and publish permissions need to be requested separately. When the app requests read permissions, the user logs in and grants the permissions but when the app requests publish permissions, it makes the user log in again even though the user already has an access token? Is there a way to just request the permissions without having to force the user to log in again?
The Facebook android sdk allows this without having to log in twice but iOS seems to be preventing this behavior completely, which seems crazy. If an app implementation requires both read and publish permissions for the integration to even work, forcing the user to log in twice is just unnecessary friction and a bad user experience.
I have gone through the SDK class named FBSDKInternalUtility.h, in which we got one method
+ (BOOL)areAllPermissionsReadPermissions:(NSSet *)permissions
{
for (NSString *permission in permissions) {
if ([[self class] isPublishPermission:permission]) {
return NO;
}
}
return YES;
}
+ (BOOL)isPublishPermission:(NSString *)permission
{
return [permission hasPrefix:#"publish"] ||
[permission hasPrefix:#"manage"] ||
[permission isEqualToString:#"ads_management"] ||
[permission isEqualToString:#"create_event"] ||
[permission isEqualToString:#"rsvp_event"];
}
They check below permission in both cases which, while passing permission as NSSet order are getting different, so below checks for first string and return NO. So What did is I have commented out few lines as mentioned below.
+ (BOOL)areAllPermissionsReadPermissions:(NSSet *)permissions
{
//for (NSString *permission in permissions) {
// if ([[self class] isPublishPermission:permission]) {
// return NO;
// }
//}
return YES;
}
I not sure about the changes what I have done is valid or not, but I could have achieved what I wanted. So Happy.
Please, let me know if you have any suggestion to change.
Related
I've added Azure Active Directory Authentication to my function app, but as soon as I set "Action to take when request is not authenticated" to "Login with Azure Active Directory", the development interface for the function app yields this message:
Error:
We are unable to reach your function app. Your app could be having a temporary issue or may be failing to start. You can check logs or try again in a couple of minutes.
Session Id: 23a5880ec94743f5a9d3ac705515b294
Timestamp: 2016-11-16T08:36:54.242Z
Presumably adding the authentication requirement breaks access to the function app in some fashion... though I am able to make changes in the code editor, and they do take effect, I no longer see updates in the log panel: no compilation output messages, for example.
Does anyone know a work-around for this?
So far, I've tried just leaving the auth option to "Allow anonymous requests (no action)" and using this following code:
public static async Task<HttpResponseMessage> Run(HttpRequestMessage req, TraceWriter log)
{
log.Info("C# HTTP trigger function processed a request.");
var user = "Anonymous";
var claimsPrincipal = Thread.CurrentPrincipal as ClaimsPrincipal;
if (claimsPrincipal != null && claimsPrincipal.Identity.IsAuthenticated)
{
user = claimsPrincipal.Identity.Name;
log.Info($"Hello {user}");
}
return req.CreateResponse(HttpStatusCode.OK, "Hello " + user);
}
However, this (rightly) doesn't redirect to the authentication provider... I would prefer to have the app take care of all that gunge for me, but if doing so means I can't see compilation messages / log messages, it makes it pretty hard to see what's going on.
Nathan,
Unfortunately, this is a limitation at the moment and we're tracking it here: https://github.com/projectkudu/AzureFunctionsPortal/issues/794
Your approach, to allow anonymous and validate in the function is what we recommend at the moment. To extend your workaround, you can add the following code to initiate a login redirect when you detect an anonymous user (the code below assumes you are using AAD).
else
{
log.Info("Received an anonymous request! Redirecting...");
var res = req.CreateResponse(HttpStatusCode.Redirect);
res.Headers.Location = new Uri(req.RequestUri, $"/.auth/login/aad?post_login_redirect_uri={req.RequestUri.AbsolutePath}&token_mode=session");
return res;
}
We understand that isn't ideal and appreciate your patience while we work to improve this.
Thanks!
I am trying to setup push notifications with PubNub on a react-native project. However calling the push.addChannels() method gives me the error 403 with "PNAccessDeniedCategory".
I have tried turning off the access manager but still get the same result. Not to sure if I am passing the correct params though.
I have setup push notifications with apple and uploaded the cert.pem file to PubNub.
pubnub.push.addChannels({
channels: ['ch.staff'],
device: 'ECID-OF-DEVICE-HERE',
pushGateway: 'apns' // apns, gcm, mpns
}, function(status) {
if (status.error) {
console.log("operation failed w/ error:", status);
} else {
console.log("operation done!")
}
});
I can send and receive standard messages without issue, it is just this which doesn't work.
I am following the docs here:
https://www.pubnub.com/docs/javascript/mobile-gateway-sdk-v4#Provisioning_devices_with_channel_names_per_lang_Examples
My main questions are.
Do I need to grant access to use this method and how do I do that?
Is the device field supposed to be the ECID?
PubNub Mobile Push + Access Manager
Access Manager is denying access because the client device's auth-key does not have read permissions (or it doesn't have an auth-key at all).
Either disable Access Manager until you are ready to implement permission granting to auth-keys for your clients by your server, or grant read permission for the client's auth-key for the channels it needs to register for push on (and optionally subscribe to).
For full details see the PubNub Nub operations/permissions mapping in the PubNub JavaScript SDK docs Access Manager tutorial.
The grant permissions would look something like this:
pubnub.grant(
{
channels: ['ch.staff'],
authKeys: ['clientAuthKey'],
read: true, // false to disallow
write: true, // false to disallow
},
function (status) {
// handle state setting response
console.log('Status', status)
}
);
Well I am able to upload video on Youtube but i didn't find a way or relevant code to delete video/videos from Youtube.
Here is my code which i tried to delete the youtube video.
private async Task Run()
{
UserCredential credential;
using (var stream = new FileStream("client_secret.json", FileMode.Open, FileAccess.Read))
{
credential = await GoogleWebAuthorizationBroker.AuthorizeAsync(
GoogleClientSecrets.Load(stream).Secrets,
new[] { YouTubeService.Scope.Youtube },
"user",
CancellationToken.None
);
}
var youtubeService = new YouTubeService(new BaseClientService.Initializer()
{
HttpClientInitializer = credential,
ApplicationName = Assembly.GetExecutingAssembly().GetName().Name
});
var videosDeleteRequest = youtubeService.Videos.Delete("Video ID");
await videosDeleteRequest.ExecuteAsync();
}
But getting 403 response
Error: Google.Apis.Requests.RequestError
Insufficient Permission [403]
Errors [
Message[Insufficient Permission] Location[ - ] Reason[insufficientPermis
sions] Domain[global]
]
A little help or any possible solution will be highly appreciable.
The error translates to:
The video that you are trying to delete cannot be deleted. The request
might not be properly authorized.
https://developers.google.com/youtube/v3/docs/videos/delete
Have you successfully acquired the token of the user that owns the video?
The videos.delete method is preformed on private user data. In order to delete the data you must have permission or consent of the user to access their account. They must have granted you permission in one of the following scopes.
The error message
Message[Insufficient Permission] Location[ - ] Reason[insufficientPermis
sions] Domain[global]
Means that the user did not grant you permission with a hig enough scope. If for example you asked for authorization with only a read only scope you would then not have enough permissions to delete a video.
However if we check your code we can see that you are in fact using YouTubeService.Scope.Youtube. However if you have previously run your application then the client library stored the consent of the user. If you then have changed the scope and not forced the user to consent to authorization again. Then you are still running on the old consent.
The solution in this case is to change "user" to something else which will force it to request authorization again.
I have freeradius configured with Microsoft ldap, I use it to authenticate a user and also check for groups.
in
sites-enabled/default
under post-auth, I have an if statement such as
if(LDAP-Group == "OU=groupA,....."){
update reply{
Cisco-AVpair = "shell:priv-lvl=15"
}
}
Is this correct location to handle something like this, I would assume that it should go into the policy.conf but I am not sure how to call it.
help please!!
thanks
Yes, that's the correct location. If the same policy code is used in multiple places then it can be placed in policy.conf as a named policy. This policy can then be called as you would a module in authorize, authenticate or post-auth.
policy {
my_policy {
...
}
}
post-auth {
my_policy
}
Some context: the user had previously installed the app, authorized FB, everything worked great, then they changed their FB password (through facebook.com), deleted the app, and have now reinstalled it and are running it for the first time again after reinstall.
I am calling [FBSession openActiveSessionWithReadPermissions:allowLoginUI:completionHandler] with allowLoginUI: YES and the read permissions being "email, user_about_me, user_birthday, user_interests, user_location."
The FBSessionState I am getting in the completionHandler is FBSessionStateClosedLoginFailed. The NSLog of the error is this:
Error Domain=com.facebook.sdk Code=2 "The operation couldn’t be completed. (com.facebook.sdk error 2.)" UserInfo=0x1cd68c00 {com.facebook.sdk:ErrorLoginFailedReason=com.facebook.sdk:ErrorLoginFailedReason, com.facebook.sdk:ErrorInnerErrorKey=Error Domain=com.apple.accounts Code=7 "The Facebook server could not fulfill this access request: Error validating access token: The session has been invalidated because the user has changed the password." UserInfo=0x1cd5b970 {NSLocalizedDescription=The Facebook server could not fulfill this access request: Error validating access token: The session has been invalidated because the user has changed the password.}}
That internal error domain is ACErrorDomain and error code ACErrorPermissionDenied. So, how do I let the user re-authorize the app?
I have tried calling openActiveSessionWithReadPermissions again but that just keeps outputting the same error. I have also tried [FBSession.activeSession closeAndClearTokenInformation] but that doesn't seem to do anything (presumably because there is no activeSession).
Hitting a very similar sort of bug with 3.2.1 Facebook SDK. In my case, I get into FBSessionStateOpen but have been given an invalid access token. As the question states, the normal closeAndClearTokenInformation and even deleting the app doesn't fix it. The only way I have been able to get-back-in under this scenario is to have the user change their password in the setting app. So this is what I do.
// In my completion handler FBSessionStateOpen is called BUT an
// invalid accessToken was detected.
[session closeAndClearTokenInformation];
[FBSession renewSystemCredentials:^(ACAccountCredentialRenewResult result,
NSError *error)
{
if (result == ACAccountCredentialRenewResultFailed ||
result == ACAccountCredentialRenewResultRejected)
{
[self showErrorMessage:NSLocalizedString(#"You may need to re-enter your Facebook password in the iPhone Settings App.\n", nil)];
}
else
{
// attempt opening a session again (after they have updated their account
// settings I end up here)
[self facebookLogin]; // Performs openActiveSessionWithReadPermissions,
// but this time around the token issued should be good.
}
}];
This is the only pragmatic solution I have been able to come up with.
I think you need to get a new access token with code like this...
[FBSession.activeSession closeAndClearTokenInformation];
[[FBSession class] performSelector:#selector(renewSystemAuthorization)];
[FBSession openActiveSessionWithReadPermissions:nil
allowLoginUI:YES
completionHandler:^(FBSession *session, FBSessionState state, NSError *error) {
}