Django-allauth: Facebook messenger account linking.

Created on 13 Jan 2017  路  8Comments  路  Source: pennersr/django-allauth

How does Facebook messenger account linking work with allauth? I am currently capturing id on signup,

account = social_account.pop('account')
user.username = "fb" + account['uid']

But this is the default Facebook ID and not the same returned by the messenger bot which is called a PSID (page scoped ID). This is part of facebook's security measures. I have already built a working bot which can reply to messages, what is missing is being able to make a queryset so I can reply with user specified data,

if Model.objects.filter(owner__username='fb'+str(fbid)):

If it doesn't currently than can it be added or someone explain a patch where I can get the (page scoped ID), since without it I can't later make sane querysets with the messenger platform. I am using this tutorial for the bot

Awaiting input

All 8 comments

If you are trying to link apps, you'll have to use this API:

https://developers.facebook.com/docs/apps/for-business

As this goes beyond scope of authentication it is beyond scope of allauth.

So if I want messaging, which requires one to link the account at auth as the documentation I linked covers, I would have to stop using all auth and code my own solution? This API was recently created to deal with an issue involving marketers exploiting the system. Facebook basically broke a previously working solution and it does not effect only the business API. This could likely be easily injected into the current authentication, I likely will need to code it myself and submit a patch I guess. Just to be clear though the Messenger API =/= the Business api, and I feel as people see this post they will likely agree it is well within all-auths scope.

Account linking: " you may want to identify him or her as a customer who already has an account with your business." In my case it is a face book 'app' so 'business' is a misnomer, sure its for a business, but the app could be any app, even non-commercial.

Business API: "Mapping the same user across multiple apps"

This is obviously a commercial only activity, so its treated different.

These require different levels of permissions you can get from facebook, you can't get the first level 'account linking' without being able to create a sane chat bot which can perform a task based on code logic, in my case identify a user securely and send data back to the api. You can't get the second without the first if the only product your app has is a chat bot. I will see what I can do, but I would urge you to re-assess and re-open the ticket.

Sure, no problem... if there is some generic way in which allauth can be improved in order to facilitate for this scenario, please let me know.

It is a major feature for one of my apps which I have some mostly working code for now. I will do my best to find where to inject it into the current layout. When I was looking at it the other day I felt I almost had it but wanted to get the larger community feedback since allauth is widely used and security is always a pain, I want to make sure whatever I do is a best practice. Now that I know there is no established one for this I will proceed and post my findings.

I have made some progress, I think I need to create a custom client, but would like some feedback before I spend a ton of time figuring out how. If all my reading is to be understood whenever a user clicks login or register than facebook starts the 'Account Linking call-to-action.'

This clue is what the facebook docs seems to leave,

Messenger Platform invokes the registered URL when a user starts the account linking flow. The redirect_uri and account_linking_token parameters are appened to the URL callback

When I look for the redirect_uri and authorization_code I find this code in the client.py files, I am assuming a custom client for facebook will need to be written which has this functionality.

This is not all apparently obvious as there is a new permission called messaging_account_linking which I had to dig around in my app's webhooks settings to enable, it is all covered in their docs but not very well.

What I would really like to know is, is there an easy 'print(foo)' I can add someplace to get the full request for that? (the URL which returns redirect_uri and authorization_code). If I could find this I should see an 'account_linking_token' param and be able to take it from here.

Just an update, this is still on my plate, but got pushed back behind a few other features. Thank you for keeping it open, it is an important thread. I could use a hand if you can possibly review what I posted and explain the best place to see that URI formed before it is POSTed.

I'm interested in this as well

Was this page helpful?
0 / 5 - 0 ratings

Related issues

psychok7 picture psychok7  路  5Comments

falc410 picture falc410  路  4Comments

gitdeepak picture gitdeepak  路  5Comments

HemantNegi picture HemantNegi  路  5Comments

lukeburden picture lukeburden  路  5Comments