I am currently having trouble with the identity server 3 and logouts with (single user) concurrent sessions.
Situation:
a user is allowed to login (to a mobile app) multiple times with a single account
Expected behaviour:
When the user performs a logout on one device he stays logged in at the other devices.
Actual behaviour:
The user is logged out at each device.
Related
I'm using
Catalyst::Plugin::Authentication
to authenticate users and
Catalyst::Plugin::Session
to track sessions. Is it possible to solve my problem using these plugins?
When a user has been authorized at some place, other sessions (the same user on other platforms, browsers etc.) automatically change to invalid. There can be only one working session from this particular user at the same time.
I'm building a HipChat bot, but it needs to play the role of the user WHILE the user is also logged in. Is this possible by logging in twice, once as me, the second time as the bot. Does one login get booted out?
Use case
1) User logs in
2) Bot logs in (user has given the bot its credentials)
3) Bot detects something interesting user has said
4) Bot interjects with some meta data (in effect impersonating the user)
Is this possible? Currently I have only gotten as far as interacting with the bot as separate user agent.
I am building a Facebook application whose purpose is to gather statistics about Facebook users by querying their profile pages every so often. There is a sign up process where a user consents to the application and is redirected to Facebook to authorize the app. After the app has received the user's permission, it stores the access token with the user's Facebook ID number.
Every so often I want to be able to run a script that loops through all the access tokens in my database and queries the corresponding user's profile page. I am using Facebook's PHP SDK for development and therefore receive long-lived access tokens.
However, I am running into the issue of the 60 day expiration of the access token. I don't know how I can renew these access tokens, since the user does not initiate API calls; my own script does and therefore it has no information about the user being logged in or not when trying to run an API call. Is there any way to renew these access tokens behind the scenes without any information about the user whom I'm trying to query?
I'm trying to create a server side access to a user's Facebook resources (photos/albums/etc).
I want that the user will authenticate once using its native mobile application, and that the server will be able to access user's data without the user interaction.
I'm trying to understand the steps I need to take in order to make it work.
I've read Facebook's: Login for Server-side Apps but I can't understand how to use the scenario proposed in there - because my server has nothing to do with user interaction (I cannot redirect the user to some login dialog) - the server is performing its own operation in the background whether the user is using its mobile application or not. What should I do upon token expiration for example?
More then that, I want that the user will be able to perform direct Facebook operation on the mobile itself, without the server intervention.
As I see it, this is the flow I would expect:
User's launches a native mobile application.
The user authenticates using Facebook's SDK on the native mobile app.
The user received a special token, that can be converted at server side to an access-token.
The token will be sent to the server and stored there.
If the server needs to access user's Facebook data, it uses this special token and converts it to an access token.
When the token expires - the server can extend it, using the special token, without any user interaction.
What data should be sent to the server from the mobile application after authentication. And how should the server use this data to access user's Facebook resources anytime?
I'm using the C# Facebook SDK for the server. But I think it is not that important, I need to understand the mechanics.
Tokens expire if the user does not continue to use the application. This is by design--an application should not continue to access the user's account if the user stops using the application.
When a user logs into your application, a token is given to your application, along with an expiration date for that token. You can use that token from your client or your server until it expires. However, there is nothing your server can do to extend the token if the user does not continue to use your application.
If the user continues to use your application, you will have an opportunity to update your server token. For example, in the Android and iOS SDKs, tokens are automatically refreshed if the user uses your application to make a facebook request. At that time, you can transmit the refreshed token to your server.
If an mobile user have authorized the app for facebook via Single Sign On, is there a way the permissions can be used on the server side for offline access?
Scenario:
user uses the mobile app
user authenticates via SSO
app needs to use the user's permission on the server to check for certain updates
app pings the user via notifications if updates received
Can this be done?
You need to authorize at the app and obtain the Facebook token. Then you can send this token to your server and use it there without problems. You should ask for the offline_access permission if you want this token not to expire in a few hours.