Go Back

Authenticating a Canvas Page in Facebook with .Net

jpeckham

7/4/2009 11:52:29 PM

So, the first time I did this was a while back and I remembered it being very confusing.

Here's the basic breakdown:

 First you need to configure your settings on the app.

 

 

Note: Canvas Callback URL is where you are going to create a page (in my case Default.aspx) for facebook to connect to.

 

Second:

Make an asp.net website. As above mine is called “FacebookApps”. Then I made a folder for the “jpeckham” facebook app. Then a folder called Canvas. Then I put a new webform called Default.aspx in that folder. Looks like this:

 

 

Third:

Setup your REST service client to have these operations in the service contract for WCF.

     [OperationContract]

        [WebGet(

            UriTemplate =

        "?method=Users.getLoggedInUser&api_key={apiKey}&sig={sig}&v=1.0&call_id={callId}&session_key={sessionKey}"

            ,

            BodyStyle = WebMessageBodyStyle.Bare)]

        Message getLoggedInUser(string apiKey, string sig, string callId, string sessionKey);

 

        [OperationContract]

        [WebGet(UriTemplate = "?method=Auth.getSession&api_key={apiKey}&sig={sig}&v=1.0&auth_token={authToken}",

            BodyStyle = WebMessageBodyStyle.Bare)]

        Message getSession(string apiKey, string sig, string authToken);

 

Lastly:

Do some .net/c# code in the webpage that is something like this:

string apiKey = "1f3b0f29b995519b003f0fe236d56907";

        Facebook.Service.FacebookCustomProxy proxy = new Facebook.Service.FacebookCustomProxy("FacebookClient",apiKey);

      

        if (string.IsNullOrEmpty(Request.QueryString["fb_sig_session_key"]) && string.IsNullOrEmpty(Request.QueryString["auth_token"]))

        {

            Response.Redirect("http://www.facebook.com/login.php?v=1.0&api_key="+apiKey);

        }

        else

        if (!string.IsNullOrEmpty(Request.QueryString["auth_token"]))

        {

            Response.Write(proxy.getSession(Request.QueryString["auth_token"]).ToString());

        }

        else

        {

            Dictionary<string, string> incomingParmsFromFacebook = new Dictionary<string, string>();

            foreach (string s in Request.QueryString.Keys)

            {

                if (s.StartsWith("fb_sig_"))

                {

                    incomingParmsFromFacebook.Add(s, Request.QueryString[s]);

                }

            }

            if (FacebookCustomProxy.IsValidSigFromFacebook(Request.QueryString["fb_sig"],incomingParmsFromFacebook))

            {

 

                Response.Write("Your User Id Is: " + proxy.getLoggedInUser(Request.QueryString["fb_sig_session_key"]));

            }

            else

            {

                Response.Write("Invalid Signature, Access Denied");

            }

        }

 

I’ll summarize briefly. Basically check to see if you have either a session key or an auth token. If you don’t… kick them out to the login page to authenticate. If they do have an auth token, they just came from the login page so retrieve their brand new session from the API. Finally, if you do have a sessionkey being passed to you from somewhere, check to see if it’s from facebook (see facebook wiki for info on validating sigs from facebook) and then once verified go ahead and make calls using that session key.

 

I haven’t exactly figured out why a session key is less trusted than an auth_token yet… but apparently they don’t do any sig for an auth token query string. Go figure.

 

 

 

 

 

 

 

 

 

 

WCF REST c# .net Facebook SOA

Facebook DZone It! Digg It! StumbleUpon Technorati Del.icio.us NewsVine Reddit Blinklist Furl it!