I am using https://rnfirebase.io/ for react native application. I am successfully able to log in the user using Facebook Login.
My question is, once I have logged in the user using facebook, and then I am deleting the app from my facebook profile that gave permissions to firebase, the firebase is still authenticating me.
So, in this way, I will always be authenticated until I signout? Is this correct? or should I request for fresh Access Tokens ?
Here is the code I am using to check if the user is logged in
_bootStrap = () => {
let route = Home;
firebase.auth().onAuthStateChanged(user => {
saveDataInAsyncStorage('userLoginInfo', user);
this._navigate(route, result);
});
}
Once your client app get a valid ID token from Firebase Authentication, it remains valid for one hour after it was issued, even if you do something to disable the user. The user will be able to use that token to gain access to resources in Firebase until it expires. At that point, the client SDK will attempt to refresh the token. If the account is disabled in some way, the refresh will fail, the the previous token will no longer have the access it once had.
So, you will have to wait at least an hour for that user to be rejected by things like Firebase security rules and Firebase Admin token validation.
Related
My team have developed an App, in which we are using the Facebook Authentication Tokens to retrieve the data from a Facebook and then display it on our App and it is working fine.
The problem which I am facing is that if the Password of Facebook Account is changed then the API Token also become useless, which is an obvious thing.
But is it possible that when a user updates his/her Facebook Account Credentials then the API Token also gets updated? i.e. I don't want to go through the Token Generation Process, every time the password is changed.
No, that is not possible.
When the user changes their password, all their existing tokens get invalidated on purpose.
They will have to go through the login flow again, to create a new token.
I am developing an application using xamarin.Here I am using xamarin auth component for facebook authentication.I am able to login and get users info and able to save them in local DB.Xamarin auth component has provided option for storing account object so that when user relaunch app ,we can use that account object to login.
Here comes my question: If user changes password on facebook account from site then what should be done when app is relaunching,as stored account is local we can't use that info to login again.
Thanks.
Any suggestions are appreciated.
Actually you are supposed to use the access_token for subsequent queries towards Facebook after the first successful authentication. With OAuth, you won't store password in your app. I would expect that when a user changes the password within Facebook, the old access_token might expire. In this case, you'll have to make the user manually re-login. This is the case anyhow when your access_token expires for any reason; keep in mind that all access_tokens expire after some time.
You can easily verify if the access_token is still valid by sending some basic request in the background. If you get an autherror response, just prompt the user to login again when it makes sense in the flow of your app.
Facebook documentation states that
. At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token - how this appears to the person will vary based on the type of login flow that you are using, for example if you are using the JavaScript SDK, this will take place in the background, if you are using a server-side flow, the browser will quickly redirect to the Login Dialog and then automatically and immediately back to your app again.
What does it mean that the person does not actually need to login? Does not he have to pass his credentials again? If not how does FB is authenticating the user and getting the refreshed access token?
Yes but you need that the user visits your web app. Then you check for login status, if it is "connected" you will get a new short-lived token without even making the user login again. That's because the token has information about apps already authorized by user. If not the case or the user hasn't login in FB then you need to call the login function.
Once you have the token you can create a new long-lived token again.
I am building a social gaming platform which will be played with mobiles. I am confused about the login part and access token. Let me briefly explain my problem.
Problem: User logs in with facebook login and I retrieve the accessToken of the user. Then immediately after login I store this accessToken in my database. The user continues with the game. Then in some point when I want to post something to the users wall the mobile side calls a WebService and my part (C#) uses the access token stored in the DB and posts something to the wall. Until here everything is OK. But what happens when the access Token expires or the user changes his password. Then I have to re-get the accessToken and update the DB.
BUT how do I get notified when the accessToken changes? I have to get notified or I will have a expired token and won't be able to post something.
Thanks
You won't get notified when a token expires, but Facebook give you the expiry time in your response, which you should store.
According to the OAuth spec, you will receive an HTTP 401 Unauthorized if you try to use an invalid/expired token, as well as the following:
Invalid Consumer Key
Invalid signature
Invalid / used nonce
I've created a Facebook .NET Desktop Application. On the first run, the application opens a second window with a Web Browser directed to the authorization page for my application with the required permissions from the user.
If the user authorizes my app, Facebook is redirecting me to the static login_success.html and appends the AccessToken to the Hash (#) part of the Url of the browser rendered in my second .NET Application window.
I hand that AccessToken to my main application window and do my requests to the graph api on behalf of the respective user.
That's fine, and working so far!
But, how can I
check if the AccessToken I've stored is still valid and how
can I renew an expired AccessToken without bugging the user with the second browser window (of course assuming the user hasn't revoked the authorization for my app) and how
can I recognize that the user has revoked the authorization?
check if the AccessToken I've stored is still valid?
Try and use the token against the Graph, and if it give you an error (Something like OAuthException or OAuthError), it's not valid, else it still is.
Can I renew an expired AccessToken without bugging the user with the second browser?
No that I know of. But, AccessTokens (with the Offline Access permission) don't expire. I've received an AccessToken for one of my apps almost 2 years ago and it hasn't changed or expired, so I think you should be good. They might become invalid if your App Secret changes or if the user changes their password (I'm pretty sure on that last one, but not 100%)
Can I recognize that the user has revoked the authorization?
Yes, if you query the Graph with an AccessToken that is not authorized for that function, it will give you an OAuthException. Just check for exceptions after you receive Graph data and it will let you know, for the most part, why you weren't able to receive Facebook data.
Unfortunately, if your Access Token expires you have to get the user to go through Facebook to get a new Access Token. An offline_access token does not ever expire due to time, like joe_coolish pointed out, but it does expire if the user changes their password. So your program needs recognize when a user's access token is invalid and get the user "refresh it" by going through the oauth endpoint.
Recognizing that the user's token is invalid is the same process as recognizing that the user has revoked authorization for your application. Whenever you make a graph request with an invalid access token, Facebook will give you an OAuthException saying that you don't have access.