I'm doing a private beta and the only login method is through facebook.
The problem is that anyone with a facebook account who can see the facebook login button can login. If you have standard e-mail authentication then you can use a token to access the sign up page and then login regularly going forward (any users who try to login will just get denied). However, with facebook login we don't know if they've registered yet. I do have cookies but if they login from different devices then we still find ourselves in this same predicament.
I'd like
users with access to be able to sign in easily
users without access should not be able to sign in
Possible solutions:
have users enter their e-mail address or code to then expose the facebook button (if a code is in the url then you can make the api call without user input, or you can make an api call after a user enters in their e-mail)
always follow the same link to login (with a code attached)
Is there a preferred method of solving this problem? Anything that I'm missing?
Related
I'm using the Manual Login Flow from facebook to login users to my site. This means, redirecting them to accept the app, and the getting their info. (my app is also physical, ==> one browser for many people)
I got it working as I wanted, however, as they are only redirected to login, they are kept logged-in at browser-level, meaning that if another user comes after them and tries to login, they will only be shown the other person's profile, or be redirected as if they logged in.
Thus, I need a log-out method at browser-level, but I can't find any links, or api to logout a user from the browser.
Does anyone know how?
Thanks!
I and a friend are developing an app and would like to use Facebook as a way of users having their own accounts without us having to ask them to store passwords or make users for security and ease of use.
Passport.js has a facebook plugin but it talks about a redirect URL so my question is: is it actually possible to just send information like email address and password to facebook for authorisation and return the users profile without actually redirecting the user to a facebook login page.
I don't see how i could redirect the user to a facebook login while inside my app and also what on earth would i put as the callback URL? Am i just trying to use passport-facebook in the wrong way?
is it actually possible to just send information like email address and password to facebook for authorisation
No. Users are strongly discouraged from giving this information to any 3rd party app, and you are not allowed to ask users for them.
Login with username/email and password happens on Facebook, not in your app. You will get feedback from the login endpoint then that they logged in successfully.
I'm trying to write application for user login to website via Facebook. When user is logging in, he's redirected to http://www.facebook.com/dialog/oauth/?client_id=APP_ID&redirect_uri=REDIRECT_URL&state=STATE, then sees confirmation dialog to use permissions and all goes well. But then FB somehow remembers this application and never asks for permissions confirmation again when user opens this url. Is there any way to always show this dialog? I could do it in Twitter, but couldn't found the answer for Facebook.
If you really want this for some reason, uninstall the app from the user's account with a HTTP DELETE request to /USER_ID/permissions using your app access token.
The next time they come back they'll need to re-authorise the app.
Otherwise, no, there's no way that I'm aware of apart from the reauthentication flow to force the auth dialog to appear, but bear in mind that the reauthentication flow may prompt the user to re-enter their Facebook password even if they're already logged into Facebook, so it adds extra friction to the process
Instead of showing the Facebook OAuth dialog, you could also show the user a page on your application that has some information about the Facebook account that is going to be used (picture/name etc), to log into it. That way, if they like they can choose to log out and re-authenticate or continue knowing they have the right account.
I want to allow users connect to my website using their facebook account.
First, the user authorizes my application and then I get an access token. Problem is, that I'm supposed on the first time to register the user, and the next time to auto login him based on his facebook email.
How do I create a SECURE way to auto login the user?
I'm using pure javascript, but I can't find any way to create a secure mechanism.
Thanks.
Facebook should handle all that for you - when they come back to your website, they can click the 'login' button(javascript SDK) and facebook should pass you back an access token.
I may, however, have misunderstood the question.
Here's the problem,
I want to have the user auto login to my MVC3 website if they already login from facebook.com.
If they are not login from facebook.com, I will just simply show a login button and they can login by clicking on it as usual.
I cant seem to find a way to detect whether user had login from facebook.com unless I force the application to direct go into LoginUrl of Facebook, which is not good for user who was not logged in as this will prompt them a page where they have to login. I still want to allow guest access without facebook account.
Any idea? Thanks a million.
EDIT:
Sorry I forgot to mentioned the situation only apply to user who approve to use my app. Once they approve to use my app, I'll be able to detect their facebook login status.
The answer is: You can't. At least not without violating the facebook TOS and probably at least one or two laws.
EDIT: Your original question sounded like you wanted to try and hijack the facebook user session. What you are talking about here in the comments requires you to use facebook connect / facebook for websites.
You would want to start here: https://developers.facebook.com/docs/guides/web