I have a kiosk application which allows image uploads to fb.
After a successful upload the user is automatically logged out by passing the access token to Facebook.com/logout.php
But, after first logging in there are 2 permission dialogs the user must approve. If the user walks away or the application times out when the permission screens are viewable, the user remains logged in. I am unable to log the user out since the access token does not exist yet!
This is the actual facebook graph API call I use to logout
https://www.facebook.com/logout.php?next='+SERVER_IP+'/logout&access_token='+ACCESS_TOKEN
Hope this makes sense...
Related
Facebook documentation states that
. At any point, you can generate a new long-lived token by sending the person back to the login flow used by your web app - note that the person will not actually need to login again, they have already authorized your app, so they will immediately redirect back to your app from the login flow with a refreshed token - how this appears to the person will vary based on the type of login flow that you are using, for example if you are using the JavaScript SDK, this will take place in the background, if you are using a server-side flow, the browser will quickly redirect to the Login Dialog and then automatically and immediately back to your app again.
What does it mean that the person does not actually need to login? Does not he have to pass his credentials again? If not how does FB is authenticating the user and getting the refreshed access token?
Yes but you need that the user visits your web app. Then you check for login status, if it is "connected" you will get a new short-lived token without even making the user login again. That's because the token has information about apps already authorized by user. If not the case or the user hasn't login in FB then you need to call the login function.
Once you have the token you can create a new long-lived token again.
Is there a possibility to get a Facebook user access token, given that I have the user's credentials?
The background is that I am writing a console application which shall act on the user's behalf, and as it's a console application, of course I can not do the OAuth dance.
Is there a request I can make, such as
GET https://graph.facebook.com/getUserAccessToken?login=foo&password=bar
?
The instructions on using Single Sign-On (SSO) with the Facebook IOS SDK are to save the access token and expiration date in fbDidLogin and use them on subsequent calls to avoid unnecessary logins.
But what if the user logs out of Facebook outside the app (e.g. in the Facebook app or in Safari)? The app doesn't know about this, so it tries to use the saved token and expiration date, and to my surprise - they are still valid and the app can access the user's data even though the user has logged out.
Any way around this?
no, there is no way to do this. each FB login a user makes is specific to the client they logged in with. A FB login is not universal across all clients. The FB token you get from the SDK is a token for that user with your app. So if a user logs out of FB in their browser or another app, they have not logged of FB from your app so the token will remain valid until it expires or the app or user explicitly logs out from the context of your app.
Not sure why you are concerned about this. Generally you would want your users to remain logged in. If you have a reason you don't want this don't request "offline_access" permission when you authorize a FB user and you can also logout and de-authorize the user via the FB API based on whatever criteria you deem appropriate.
I'm building in Facebook integration into my website with the php sdk.
The website use offline_access. According to the Facebook platform rules you have to provide a log out link that logs the user out of Facebook.
What I don't want to do is displaying the log out link if the user is not logged in to Facebook since they may confuse it with the reauthorize button. (If they are not logged in, the link wouldn't do anything...)
Is there anyway I can check if the user is logged in on Facebook?
My thought was to use the getUser() method to see if I got the user, if not then I proceed with setting the access token I have and I would know if the user is logged in or not.
However, the getUser() method checks if the protected $user variable is already set and if so return it. That makes the getUser() method unusable when I've set the access token and need to check again if the app has access.
I guess I could do it super easily by changing the $user variable to public and set it back to null in my app but I don't want to edit the sdk unless I really have to.
I think you should only be showing the "log out" button if the user is both logged in and authorized. In my experience, you normally do not know if the user is logged into Facebook if they have not authorized your app. And anyway, if they click to authorize your app they are prompted to log in at that point if they are not logged in anyway.
Using the php SDK, there are 2 ways to check the users login status:
$facebook->getUser(); // provides user id of logged in user
$facebook->getAccessToken(); // provides access token of logged in user
If you absolutely need to check to see if the user is logged in, then set the access token and check again, nothing is stopping you from creating a separate instance of a facebook object and setting the access token yourself.
However, not sure why you would want to do this, as if you have an access token that was obtained with the offline_access privilege it's always valid (until user deauthorizes or changes password), and if you don't have offline_access, you should use the one that is provided in the signed_request or code.
I am working from this reference, and trying to implement the OAuth protocol to allow users to log into my site via Facebook. However, Facebook's documentation is pretty terrible and it unclear in a few key parts.
It says that authorization takes three steps:
User authentication (redirect the user to https://facebook.com/dialog/oauth?client_id=...&redirect_uri=..., and expect the redirect_uri page to be called back with a code). Works great!
App authorization (handled by Facebook, etc). Works great!
App authentication (On the callback page, grab the code you get and call https://graph.facebook.com/oauth/access_token?client_id=...&redirect_uri=...&client_secret=...&code=.... The body of the response will include an access_token we need to do stuff)
I understand that with the access_token, I can call the APIs and such. But, what happens when it expires? I could get a new one, but by this point it will be many HTTP requests later, and I no longer have the code I used to get it in the first place. Do I have to store the code along side the access_token? Or, do I have to tell the user to log in again so I get a new code to get a new access_token?
Or, am I missing a key part here? I don't need an offline_access token, as I will only be polling data in response to user actions .
When the access_token expires, the user will be seen as "logged out" by Facebook. Your app will go through the same process as the first time, but the user may not.
If the user hasn't revoked access to your app, and the user is logged into Facebook at the time, the App Authorization process will take care of itself, with no actions required by the user, and you will receive a new access_token.
If the user hasn't revoked access to your app, but isn't logged into Facebook, they will be presented with a Facebook login at the App Authorization step. They won't be asked to give your app permission again, as Facebook knows that your app id is authorized by that user.
Finally, if the user has revoked access, then they will be presented with the original request for App Authorization, and you'll follow the original flow.
Essentially, you should consider the access_token as volatile, and not bother storing it, but using the access_token you receive as part of the user login process, which is happening behind the scenes all the time, and only involving the user when they log out of Facebook or revoke access to your application.
This is different than Twitter's OAuth with which you can store and re-use it.
From the Facebook documentation linked in your question:
Once the token expires, you will need to re-run the steps above to
generate a new code and access_token, although if the user has already
authorized your app, they will not be prompted to do so again.
When the access_token expires you will need to get a new one by going back through the same steps. The user will have to log in again and you will have to get a new code and in turn, a new access_token.