A user of my app logged in using their Facebook account. They have since deleted their Facebook account so they are unable to log in.
I have tried to delete their Facebook authData using the REST API, however I don't have the user's Session Token. When I query the user in the Parse API Console it responds that the user doesn't have any active sessions.
I have applied a password to the account for the user to log in with their email address and password; I believe this will work if I am able to delete the Facebook authData.
How do I delete the user's authData so they can log back into their account and retain their profile?
Related
This is my strategy that I've implemented in my web app.
The client( js app ) gets the access_token from facebook and using the access token, I fetch the details of the user like email, user_id etc. I save the details in my database. This ends the signup part.
During sign in, the client sends the access_token and the server fetchs the user_details from facebook using the access_token. Then I find the user by fb_user_id and create a session for him.
How can I ensure that the access_token that the server got during the sign in process is sent by my app and not any other app that has access_token of one of my user ?
My app requests authentication from Facebook. We discovered a problem if the user was already logged into Facebook and the user that they were logged into Facebook as had already authorized the app. Facebook would authenticate the app using who you are logged in without telling the user who they are authenticating. We have users with multiple Facebook accounts and this was causing a problem because people were authenticating the wrong account without realizing it. I fixed that problem by adding the auth_type=reauthenticate to the query string.
According to Facebook the auth_type=reauthenticate parameter will always require the user to enter their password again: https://developers.facebook.com/docs/reauthentication/
Unfortunately, the auth_type=reauthenticate parameter isn't working for certain accounts. Most users will be prompted for a password, but some users will just get passed through if they have already authorized the app. There doesn't seem to be a reason why the auth_type=reauthenticate parameter works for some users, but is ignored for other users. The users who ignore that value do it all the time.
The authorization URL I am using is this:
https://www.facebook.com/dialog/oauth?client_id=[my_client_id]&redirect_uri=[my_redirect_uri]&display=popup&auth_type=reauthenticate&response_type=code%20token&scope=publish_stream,manage_pages,offline_access
(With [my_client_id] and [my_redirect_uri] replaced with my values)
Is there any way to get ALL users to enter their password again or is there some other way to get Facebook to show the user what account they are authenticating?
I have a question about facebook login on my website. What I have now is simple login process which logs in user but each time facebook asks user to grant my app an access permission.
It looks like this:
1) user clicks "login with facebook" and is sent to facebook. He/she gives permission to access his/her account
2) I receive back an authentication token for this user
I'd like to have the following flow:
1) when user clicks "login with facebook" then he would be redirected to facebook website and after he logs in I should receive a facebook user ID,
2) search for user id in local database and if it is found then just use stored token
2a) If user is not found then send him back to facebook to grant my application access permissions
2b) receive user token from facebook and store it in local database
Basically, the difficulty for me is to query facebook for current user id without passing a user token to facebook. Thanks for any help
to query facebook for current user id without passing a user token to facebook
No. This isn't possible, facebook will never give you user_id without their knowledge. They have to authorize your application first.
I own an application which has already granted the send-email extended permission. Unfortunately I didn't record the email address's upon their login process. Is there any way to get email of users now, even if they are not logged in?
Keep in mind that they have already granted the email extended permission, but unfortunately I didn't store their emails.
If you recorded their Facebook user ID, you could try to call graph.facebook.com/userID?access_token=... with your application access token or appID|appSecret.
I am creating an app in which you can login via Facebook, Twitter, or our own internal mechanism. The issue is the following scenario:
I open the app and login using Facebook
I logout
I open the app and login using Twitter
The above scenario will result in me as a user having two accounts in the system. How do I prevent this from happening so that I have one account and it doesn't matter whether I login using Facebook/Twitter?
Every time a user login using Facebook I am as well creating an internal account, with the Facebook username and Facebook id as password. The same thing when I login using Twitter I am creating an internal account with the Twitter user name and id as password.
An idea came in my mind to solve this:
When a user logs in using Twitter check the name and email if a user with that information already exists in the database. However, the name and email they use in both Facebook and Twitter might not be the same, so this might not work all the time.
You can't make this work with your current flow (when the user logs in then logs out again). Instead you should allow a user to login with either their Facebook or Twitter credentials and then, whilst they're still logged in, get them to associate their account with their other service with that user.
So, the flow would be something like:
New user arrives at site User logs in with Facebooks oauth2
mechanism
Your server receives their FB ID and generates a new user
in your systems. Stores their FB ID against that user.
You prompt
the user to add their twitter auth credentials. User logs in with
Twitter oauth2 mechanism
Your server receives their twitter ID,
checks to see if a user is currently logged in with your
application. Because there is, you save the twitter ID agains the
current user.
Later, the user can log out and then log in with either service.