I'm trying to figure out how to allow my app users to log out (and then log back in successfully).
I have an iOS app which uses Firebase Authentication with the following user flow/logic:
a new user opens the app
they are logged in automatically as an anonymous user (uid-A)
sometime later, they want to access something sensitive so...
they log in with Facebook and link the credentials with uid-A
they want to log out so call FIRAuth.auth()!.signOut()
when the user revisits the app they're issued a new anonymous user (uid-B)
they try to log in using Facebook again but...
they get an "ERROR_CREDENTIAL_ALREADY_IN_USE" error because their Facebook credentials are linked to uid-A
Has anyone got an app logic which works for this use case? Should I be doing something different at step 5 above (i.e. not actually logging the user out but simply destroying the credentials or something)? Any pointers/ideas would be great.
Related
Id like to somehow be able to authenticate programatically using javascript, without filling a login form every time, because its unwanted behaviour in requirements for my app...
When I use Deezer javascript api I usually do:
DZ.login(); //to login, which pops up a login form
//then somewhere else calling
DZ.getLoginStatus(function(){callback});
//and in callback function I call the api or something
What I would like to do might be something like this:
once call DZ.login()
once fill in login form and approve rights for my app
once get access_token(never expiring, with offline access permission) from response
Still good...
and then:
somehow use that token from javascript everytime I need to access that account to do some action..
No matter whether Im logged in or not I want to be able to access that account with that offline access_tokenand
f.e. load my playlist to the player.. I want to do that action everytime without prompting login form, even after power failure or even if some earthquake comes and logs me out...
I want to use javascript because of that player......
Is there any possible workaround?
If not, why is it not possible?
No matter whether Im logged in or not I want to be able to access that account with that offline access_token and
What you want to do can be set up in your app settings as explained here: http://developers.deezer.com/api/permissions
I have an application which asks for a registration through facebook but before a user can proceed to the registration, the system should first determine if there is an active session. If a user is logged in to facebook, it should then automatically logout for a fresh start.
But here is where I'm stuck. The SDKs only let the user log out from facebook if he is connected to your app. It uses the app's access token. But what if he is still not registered to your app? Their log out means to log out from your app, and not really from facebook.
My requirement :
1. How can i log out from facebook.
2. How can i clear the browser cookies?
Not on a specific app but the whole facebook session.
[from comments] But to use the getLogoutUrl() function, the user has to be connected to your app. What I need is to logout from the whole facebook and not just from the app
If the user is connected to your app, then the URL provided by the getLogoutUrl method does that – log the user out of your app (web-app) and out of facebook.com.
If the user is not connected to your app however, you don’t have an active user access token – and then logging out of Facebook is not possible. The obvious reason being that if it was, every website that I visit could log me out of Facebook in a “drive-by” manner – without me actively wanting that, so people would get annoyed quite quickly.
If a user is logged in to facebook, it should then automatically logout for a fresh start.
If this is a security consideration, then you are in fact looking for re-authentication, which can be done using the auth_type parameter, quote from docs:
In apps where security is very important, you may want to double-check someone's identity - perhaps before they make a purchase within the app, or use it to access some sensitive personal data.
To prevent situations where a user could leave a device logged in or man-in-the-middle hijacking of the user session, re-authentication forces a person to re-enter their Facebook password before they can continue to use your app.
Be aware to use the server-side Auth flow though – because in the client-side flow, using the JS SDK, there is a bug that allows the user to bypass re-entering his password by simply closing the popup, which is still open: https://developers.facebook.com/bugs/248632218597467 (Has been assigned Priority: High, but received still nothing more than a “we will follow up” response yet.)
Use the logout.php url.
https://developers.facebook.com/docs/reference/php/facebook-getLogoutUrl/
Basically,
http://facebook.com/logout.php?next=YOUR_NEXT_URL_FOR_LOGOUT&access_token=USER_TOKEN
1) logging out from facebook by using
facebook=>getLogoutUrl();
2) clearing the session by using :
$facebook->destroySession();
example:
Log Out
logout.php page codes as follow:
<?php
require 'facebook.php';
$facebook->destroySession();
header( "location:index.php" );
?>
A lot of apps keep user logged in until user manually logs out like facebook, dropbox, etc.
I am wondering how they achieve it? There might be several approaches:
1)Do they store the username and password in a local storage, and automatically log the user in when they open the app again after a long time?
2)Or do they get a long-lived token from the server, and once the user login at very first time, the app gets a token from the server, later on they just use the token? The token will be valid until user manually logout from the app.
For #1, it will only work for native login, if an app supports "log in with facebook or twitter" it won't work.
So I just want to get an idea about how people achieve this feature? Is there any articles talk about it?
Most services like Facebook and Twitter use OAuth to manage the user session.
I use this external framework... https://github.com/nxtbgthng/OAuth2Client
It took me a while of reading and setting up to get right but it works now.
When the user logs in they get an auth token that contains an expiry date. When the expiry date comes the system automatically refreshes the token.
When I send a request to the server I send it via the OAuth framework and it adds the authorisation automatically.
I have a desktop application that uses facebook authentication in offline mode. There is no session key as the app returns me an access token.
It stores the access token and allows the user to post to facebook at other desktop app locations around an event.
The problem I'm having is that after a user goes through the oauth, I can't clear the session data for the next user.
I've tried deleting all the cookies, but that causes a facebook script error when the next user tries to authenticate...
I'm simply looking for a way to remove the session cache from the machine and not cause javascript errors...
This is the closest I've found to anyone figuring this out. It doesn't work for me, though:
http://forum.developers.facebook.net/viewtopic.php?id=84232
My problem is that I can't log the user out if they haven't authorized my app and returned an access token yet.
I am developing and testing a facebook app for which I have granted the permissions with my facebook account. Then the app is authorized to access my info, etc. nicely. The next time I close the browser, reopen it, login to facebook successfully then access the app, facebook wants me to login to that app again. I can access the current user id, but how can I automatically authorize the app (if the user has already authorized in the past) without needing the user to press that dread 'Login' button again and again upon each session's end?
UPDATE - offline_access has been deprecated. Read this post for more details: https://developers.facebook.com/roadmap/offline-access-removal/
You will need to request a token that has offline_access so that you can use their authentication token over and over again. Then you will need to set a cookie yourself that stores something indicating who the user is. Facebook does not support a "remember me" feature in their authentication so you have to build it yourself. Store the access token in your database and set the cookie to identify the user.
Unless you are building this for a very specific reason like an app that runs on work computers only, I would really encourage you to not implement this feature. The facebook connect authorization is well understood by users and is very easy to use. You are going to get a lot more security if you make your users press the button every time. Just make sure you make this optional. You never know if somebody is on a public computer.