For a middleware system with internet (which works inside a set-top box) I want to develop a primitive Facebook interface where users can type their user-names and password, showing their latest notification, messages and other casual stuff on the TV screen by using the recent Facebook Graph API.

This middleware program uses Java ME to run programs (such as this simple facebook app) and it can connect to internet however it doesn't have a real web browser. Without browser it can connect to any url to retrieve the JSON response however I am not sure how to achieve authentication without a real browser.

Under this circumstances, is it possible Facebook authentication? If you think so, what approach would you suggest ?

Thanks

Facebook provides trusted partners with a private Authorization API to get an OAuth 2 token from a username / password.

A more complicated approach would be doing something similar to how Netflix enrolls a device:

1. device calls server to obtain a Code
2. device shows code on screen and directs user to go to URL on server and enter Code
3. server redirects user to Facebook and obtains OAuth token, user told to go back to device
4. device calls server with Code and obtains OAuth token
5. device can now make calls directly on behalf of user

According to this documentation on "Desktop Application Authentication" I don't believe your desired result is possible:

Facebook's OAuth implementation does not include explicit desktop application support. However, if your desktop application can embed a Web browser, you can add Facebook support to your application easily using the same OAuth User-Agent Flow used by JavaScript clients.

However, it is clearly possible for certain vendors to do this, since Microsoft's Xbox 360 Facebook application does exactly what you are proposing. I'd be interested to see if anyone has dug up any API for doing this that Facebook doesn't want in their most obvious documentation.

This isn't an answer but I'm trying to do the same thing. Check out this guy's blog which uses another server to proxy the requests: cory wiles blog

If you figure it out please post a detailed answer here so I can do it to.. :)

I think it is possible though it is pretty complicated and subject to sudden changes of Facebook interface. It might break the agreement between you and Facebook.

What you do is to emulate the Facebook.

One path you have to set up a Facebook application. Once you got the authorisation from user, you can to something with Graph API.

You need to the Facebook log-in process and authorisation process. There are some capturing tools on http/https request and response. Analyse them, both header and body.

Once you know the authorisation mechanism, you can replace it with you own. Everything afterward is on Graph API.

Another path is to emulate Facebook login and message and notification process. Capturing and analysis is needed.

In the past I have used a tool called screen-scraper (full disclosure: I used to work there) to automate logging in to facebook. Basically, it imitates a browser session; it allows you to set session variables (i.e. username, password) which would then be submitted to facebook, just as if the user had submitted them in a browser.

You may not be able to use screen-scraper in your set-top box environment (although it is java-based, so it's possible it would work). Even if it doesn't, you could implement a similar strategy in java, making the HTTP calls a browser would make to load the login page and submit the user's credentials. To keep the user's info safe make sure whatever HTTP client library you use supports HTTPS.

Proxy tools and extensions like Charles, Fiddler2, Firebug, Chrome's dev tools, etc. are helpful in seeing exactly what the browser is sending to the server in requests.