Auth0 Facebook Login
Pang Murdock
You can add functionality to your native application to allow your users to authenticate using Facebook natively, within the application. This does not require redirection via a web browser and will let mobile applications comply with the Facebook Developer Policy, which requires that mobile applications use the Facebook SDK for Android or iOS to authenticate.
When integrating with the Facebook SDKs, your applications will be sharing data with Facebook. Make sure you understand the data that is being shared and that you reflect it properly in your application's privacy policy. Auth0 has no control over what data will be shared with Facebook via the SDK.
The application can then use the session info Access Token and the Facebook user profile to authenticate with Auth0 by calling Auth0's /oauth/token endpoint using the Token Exchange flow with the facebook-session-access-token token type. If all goes well, Auth0 will return a normal response from the exchange, with the addition of the user profile. The user profile should be a JSON object, encoded as a string.
In the previous example, you had to retrieve the User Profile from Facebook and include it in the call to /oauth/token. This is because the Facebook Session Access Token cannot be used to directly retrieve the profile, and the Facebook Access Token cannot be sent directly to the server, due to Apple's AppStore Review Guidelines. Therefore, it must be retrieved in the client and sent to Auth0 in this fashion.
Since the native login implementation does not make use of standard browser-based flows, application owners must also take care to perform logout appropriately. When an application needs to perform a logout, it should also Revoke the Auth0 Refresh Token.
Currently have a working web app with auth0 identity. I want to add social login FB, Google, Apple for the purposes of creating new account and logging into existing ones. The social account create process seems straight forward. My concern is should I create a way to leverage social login that will enable access to existing accounts in the event the email address is the same?
Is it acceptable or best practice that I only allow social login for new accounts being created using social login vs entering a password when creating an account? When an account has been created using a social login - should that user be able to self-service reset their password or are they restricted to using their social login? If they are not able to social login have they simply lost access to their account?
If you examine users created in your tenant using each method, social vs un/pw, you will see the user id: value changes. Users created with un/pw start with auth0, where facebook starts with facebook, apple with apple and google with google-oauth2.
While testing our Facebook social login we noticed that in one of the cases the email address is missing from the Auth0 user profile. We verified the Facebook account has a primary email address and the email checkbox (and therefore scope) has been checked when first logging in. No reason the email address should be missing, because with another account it works as expected. We also tried removing the app from the Facebook account and deleting Auth0 profile (starting fresh). Without any luck.
This discussion might be useful: -facebook/issues/61. The user borama mentions it happens in 2% of the logins (comment from 2012, so might be unrelated). This might be innacurate, but the fact that it happened on our second test is alarming. It breaks our login flow and requires dirty hacks to solve.
If a user denies the attribute/permission(s) we could re-prompt the user as described here by using the prompt=consent parameter. Depending on your use case, we can also consider progressive profiling.
This topic seems related to our new EA feature, Forms for Actions, which rolled out of the beta stage on May 7th. Our Product team prepared the whole Documentation page with examples of Use cases. Forms for Actions. If you find yourself having questions regarding this new feature for the next two weeks, we are hosting an Ask Me Anything session. Our Product Expert will provide comprehensive written answers on May 21st from 8 AM to 10 AM PST.
Find out more about Forms for Actions and learn more about AMA.
The problem described in the link above is still happening, now we have multiple users which were able to sign up even though no email is coming through in their auth0 profile, making our integration fail.
However, in the previous topic, you said you made the email address a mandatory field in the facebook connection configuration. Are you sure this is working as expected? Can you tell me which steps you have followed to make it so?
After confirming with Support, there is no way to stop the end user from editing the email field here as designated by Facebook. However as @luca.rossi mentioned, you can leverage a rule to prompt with an error in the event an email is not provided. Please let me know if this helps you in your endeavor @francescopeloi, thanks!
Auth0 allows multiple authentication providers. You can have social providers like Facebook, Twitter, Google+, and more, a database of users and passwords (just like WordPress but hosted in Auth0), or you can use an Enterprise directory like Active Directory, LDAP, Office365, Google Apps, or SAML. All those authentication providers might give you an email and a flag indicating whether the email was verified or not. We use that email (only if it is verified) to associate a previous existing user with the one coming from Auth0.
Please note: In order for a user to log in using Auth0, they will need to sign up via the Auth0 login form (or have an account created for them in Auth0). Once signup is complete, their Auth0 user will be automatically associated with their WordPress user.
You can enable Auth0 as a WordPress widget in order to show it in a sidebar. The widget inherits the main plugin settings but can be overridden with its own settings in the widget form. Note: this form will not display for logged-in users.
The Auth0 plugin transparently handles login information for your WordPress site and the plugins you use, so that it looks like any other login. User profile data changes in WordPress are not currently sent to Auth0 but changes to the Auth0 user account are stored in WordPress user meta (under the key auth0_obj prefixed with $wpdb->prefix).
In this blog post, we'll explore how to set up authentication with Auth0 in a React project. The @auth0/auth0-react SDK was recently updated to version 2.1.0, so that is the version we will be walking through. The process is the same for previous versions, but some of the props in the Auth0Provider have changed.
Auth0 is a popular identity and access management platform that provides authentication, authorization, and user management for web applications. With Auth0, you can add authentication to your web application without having to build your authentication system from scratch. Auth0 supports multiple identity providers such as Google, Facebook, and Twitter. It also provides various features such as multi-factor authentication, passwordless login, and social login.
You'll use the Basic Information in your React app, but there's one last configuration item to update. Click on the Settings tab to view the basic settings for the app. Scroll down the page to Application URIs.
The important parts here are Allowed Callback URLs, Allowed Logout URLs, and Allowed Web Origins. These fields allow auth0 to secure where your app will be allowed to redirect back to in each situation. My app runs on port 3000, so I have :3000 as my URL in each of the fields.
Once you've installed the Auth0 React SDK, you'll need to create an Auth0Provider component in your React application. The Auth0Provider component will wrap around your entire application and provide the necessary authentication state to your components.
In the example above, you'll need to replace process.env.REACT_APP_AUTH0_DOMAIN and process.env.REACT_APP_AUTH0_CLIENT_ID with your own Auth0 domain and client ID, which you can find in the Basic Information section of your app in the Auth0 Dashboard.
You can start by creating a reusable component called ProtectedRoute. This component redirects the user automatically when they try to access the route but are not authenticated. onRedirecting will execute code before it leaves the app.
You'll then add this to your App component. Below, you will always be able to access the LandingPage component. When you attempt to navigate to the /user route, if authenticated, the UserPage will display. If unauthenticated, the redirect to login will occur.
Clicking on LoginButton will call the loginWithRedirect method, which will redirect us to the Auth0 login/signup page. When you sign up and log in, Auth0 will redirect you back to your application and display your user info and LogoutButton.
You've successfully protected your application with Auth0 and given users the ability to log in and out of your application. This only scratches the surface of what Auth0 can do for your application, but now you can see how simple it is to set up.
Authentication is a critical aspect of most apps, as developers must ensure the apps they build are secure and can only be accessed by verified users. While custom authentication solutions can be built, the cost and resources involved to build, maintain, host, and secure them can be heavy. This is where Auth0 comes in.
Auth0 provides SDKs for all popular web, mobile, and native platforms, allowing for deep integration with the language and stack of your preference. You can also set up different login options so your users can login to your app with their preferred method.
Auth0 is a flexible solution to add authentication and authorization to your apps. You can connect any app to Auth0 and define the identity providers you want to use, whether Google, Facebook, Github or others. Whenever a user logs into your app, Auth0 will verify their identity and send the authentication data back to your app.
4a15465005