Announcement Announcement Module
No announcement yet.
Facebook/twitter "instant" login Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Facebook/twitter "instant" login


    We have a system working with Spring Social and have implemented the "login with facebook" and "login with twitter" buttons. We have received a request to add the facility to perform an "instant" login. The request relates to a hypothetical user who has already linked their account on our system to say Facebook and is currently logged into Facebook but not to our system. I want to know if there is some way to log the user straight into our system as soon as they visit the front page without first requiring them to click on a "login with Facebook" button.

    My questions therefore are:

    (1) Is it possible to perform such an "instant" login with Spring Social?
    (2) If not, is it even theoretically possible with another framework?

    Thanks in advance.

    Cheers, Adam.

  • #2
    Did you manage to get the instant login?


    • #3
      No, I never did. I suspect it's not possible but I never found out for sure.


      • #4
        I see no reason why it couldn't be done (disclaimer: I've not tried it). The way the "Sign In With XXX" functionality is kicked off is with a form submission, so at very least you should be able to...

        - Use each platform's respective JS API to determine if the user already has a Twitter/Facebook session in play.
        - If there is a session, then have some JavaScript that submits that form automatically
        - There'll be a browser redirect, but in the end the user can be returned to the front page.

        There are likely other ways to do this (maybe even ways that avoid the browser redirects), but it will take some experimentation to find them. I encourage you to try out the approach I spelled out above and let us know if it works. Or if you find a better way, we'd also be interested in hearing that.


        • #5
          I'd do like Craig said, and do this from your initial signin page, this way if they haven't had a previous connection made with facebook they could still login with their normal login credentials. This is where the Social tag that Craig helped me with comes in handy. Something like this you could do on your signin page, which will attempt to automatically sign them if they have a facebook connection...

          <%@ taglib prefix="social" uri="http://localhost/social" %> 
          <script type="text/javascript">
          	$(document).ready(function() { //using jquery 
          		<social:connected provider="facebook">	
          		</social:connected provider="facebook">	
          If you want the tag code just let me know (or it's back a few pages in this forum as well.)


          • #6
            I like that tag, BTW. If you submit a pull request, I might review it in more depth and merge it into Spring Social. I could do it by copying what's in the previous forum post, but as a pull request you'll get credit for the work.


            • #7

              I just start playing wiht spring social and I use this class for parsing facebook signed request and return a ConnectionData for use with ConnectionFactory.createConnection() method.

              May be useful for you.

               * Copyright 2009-2011 the original author or authors.
               * Licensed under the Apache License, Version 2.0 (the "License");
               * you may not use this file except in compliance with the License.
               * You may obtain a copy of the License at
               * Unless required by applicable law or agreed to in writing, software
               * distributed under the License is distributed on an "AS IS" BASIS,
               * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
               * See the License for the specific language governing permissions and
               * limitations under the License.
              package info.joseluismartin.facebook;
              import java.util.Arrays;
              import javax.crypto.Mac;
              import javax.crypto.spec.SecretKeySpec;
              import net.sf.json.JSONObject;
              import org.apache.commons.codec.binary.Base64;
              import org.apache.commons.logging.Log;
              import org.apache.commons.logging.LogFactory;
               * Facebook signed_request parser.
               * @author Jose Luis Martin
              public class SignedRequestParser {
              	public static final String SIGN_ALGORITHM = "HMACSHA256";
              	private static final Log log = LogFactory.getLog(SignedRequestParser.class);
              	private String secret;
              	public ConnectionData parse(String signedRequest, String secret) {
              		ConnectionData data = null;
              		if (signedRequest == null)
              			return null;
              		try {
              			String[] requestArray = signedRequest.split("\\.");
              			if (requestArray.length == 2 && verifySign(requestArray[0], requestArray[1])) {
              				String payload = requestArray[1];
              				payload = payload.replace("-_", "+\\");
              				String decoded = new String(new Base64(true).decode(payload));
              				JSONObject json = JSONObject.fromObject(decoded);
              				String providerUserId = json.getString("user_id");
              				String accessToken = json.getString("oauth_token");
              				data = new ConnectionData("facebook", providerUserId, "", "", null, accessToken, 
              						secret, null, null);
              		catch(Exception e) {
              		return data;
              	 * Verify payload signature
              	private boolean verifySign(String sign, String payload) {
              		SecretKeySpec sks = new SecretKeySpec(secret.getBytes(), SIGN_ALGORITHM);
              		Mac mac;
              		try {
              			mac = Mac.getInstance(SIGN_ALGORITHM);
              			byte[] my = mac.doFinal(payload.getBytes());
              			byte[] their = new Base64(true).decode(sign);
              			return Arrays.equals(my, their);
              		} catch (NoSuchAlgorithmException nsae) {
              			return false;
              		} catch (InvalidKeyException ike) {
              			return false;
              	 * @return the secret
              	public String getSecret() {
              		return secret;
              	 * @param secret the secret to set
              	public void setSecret(String secret) {
              		this.secret = secret;


              • #8
                Thanks for the signed_request code. I had something similar in mind and planned so that Spring Social could properly work within a Facebook Canvas app. (The canvas example we have now works, but doesn't use the signed_request as it should.) talks about enabling this within the web argument resolver, but I was also thinking about it in a way that's more akin to how the signin controller works. It's definitely on the todo list.


                • #9
                  Tlking about TODO lists. What is the roadmap for Spring Social? For me the LinkedIn library is the biggest gap and I hope to be able to spend time on it but right now, I don't have it. And then there is auto-reaquire for expired tokens.


                  • #10
                    Originally posted by mschipperheyn View Post
                    And then there is auto-reaquire for expired tokens.
                    hmmm can you explain how the current token behavior works? and possible issues? I haven't looked at all into it. Wouldn't want any surprises a few months down the road based on some token issues? (probably best as a new thread if you feel like replying... hate to hijack this one.) Thanks


                    • #11
                      Sorry, didn't mean to hijack. There was a thread about this topic elsewhere with regards to Spring Social Google which only offers short lived access tokens and the idea that Spring Social should auto-refresh the accessToken with the refreshToken.