I wonder what kind of workflow other people have had when logging in with facebook.
I have an app that requires signup. People can also signup by logging in via facebook. That part has been integrated.
However, when a user signs in with facebook (which means: facebook page open and requires login), my workflow
takes the user to a screen where he needs to create a username (as having a username is required).
After the user picked up a username, then I create this new user, save the facebook token and generate a password.
Now, automatically, the user will be logged in in my app.
Next time the user opens the app, in background, I will login the user taking the email (which originally was fetched from facebook) and the password, which are stored in local storage.
But what if the user logs out or delete the app and reinstall it? I have seen that this happens some times. In that case, the workflow (if the user clicks on facebook login on my app) will take the user again to facebook. And after he logs in in facebook, he will come back to my screen where he can choose a username. This is bad. Because I already created an account for the user with the email binded to that facebook account.
Of course, I can understand that this user that logs in via facebook already has an account. But what can I do? Can I just login him in background? Are there any security implications (yeah, my app is not that sensitive, but I would prefer to use best practice).
Yes, if the user already logged in once, the expected behavior is to be logged in again on future visits to the app. If the user passed the Facebook login, you can safely assume that it is the same user imho.
Related
Is it possible to prompt a user to login to facebook given their email (as in, I have the email already and want them to sign in with it)?
I have an app that asks the user for their profile page (https://www.facebook.com/USERIDHERE) and want to verify that the user actually owns the page they submitted. Really anything that accomplishes that goal would be fine.
I'm sure there is away to use the Facebook API for proper verification. You can go to there ssite amd read up on it, I believe they use OAuth2.
However, I'm a fan of lazy programming; so if you're not particularly concerned about security, you could prompt a user to enter the password, and programmatically try to login with the entered credentials and check the returned URL. If its Facebook's homepage the login failed, anything else would be considered verified as it actually entered the users account. Just don't go saving them passwords 😉 😉
I am having some doubts about the proper facebook authorization/login flows and maybe some of you have more experience on the subject.
Basically I have a guest area on my website for non authenticated users and a button to connect through Facebook or the platform login/registration system.
As per the Facebook flow: once the guest clicks on the button, a popup dialog opens asking to login to fb (if needed) and to grant some permissions to the app. Once accepted, my website saves user data to the DB tables as if the user also registered to the website itself. This all works fine and once done, my users can navigate to the protected areas as expected.
Now... I don't totally get if it's mandatory to logout from Facebook AND to revoke permissions once the user chooses to logoff from my website or if it's allowed (and how) to simply log the user out of facebook (and so from the app) while the app still retains the user permissions.
I know this might sound like a silly question but last part of the flow is still foggy to me and i found the Facebook docs quite sparse. I hope I could explain it well enough!
Thanks.
I'm developing a Facebook canvas app and I'm testing how the whole permissions thing work.
One thing is calling my attention and I think it's kind of weird: The first time, a user enters the app, Facebook sends the signed_request without the user_id and access token (as expected). Then my app redirects to the Login Dialog, so the user can authorize the app and give the asked permissions.
At this point something strange happens: Facebook is automatically redirecting the user to my app with the given permissions (and user_id and access token), but without prompting the user to give the permissions.
I have verified this behavior with test users and testers.
Is this normal? Is it possible to "force" (for testing purposes) the "ask for permissions" screen?
It is normal on a second or later use of the Facebook app.
Remove the app's permission from the Facebook account before starting the app to get back the ask for permission screen.
I'm trying to write application for user login to website via Facebook. When user is logging in, he's redirected to http://www.facebook.com/dialog/oauth/?client_id=APP_ID&redirect_uri=REDIRECT_URL&state=STATE, then sees confirmation dialog to use permissions and all goes well. But then FB somehow remembers this application and never asks for permissions confirmation again when user opens this url. Is there any way to always show this dialog? I could do it in Twitter, but couldn't found the answer for Facebook.
If you really want this for some reason, uninstall the app from the user's account with a HTTP DELETE request to /USER_ID/permissions using your app access token.
The next time they come back they'll need to re-authorise the app.
Otherwise, no, there's no way that I'm aware of apart from the reauthentication flow to force the auth dialog to appear, but bear in mind that the reauthentication flow may prompt the user to re-enter their Facebook password even if they're already logged into Facebook, so it adds extra friction to the process
Instead of showing the Facebook OAuth dialog, you could also show the user a page on your application that has some information about the Facebook account that is going to be used (picture/name etc), to log into it. That way, if they like they can choose to log out and re-authenticate or continue knowing they have the right account.
I am creating an app in which you can login via Facebook, Twitter, or our own internal mechanism. The issue is the following scenario:
I open the app and login using Facebook
I logout
I open the app and login using Twitter
The above scenario will result in me as a user having two accounts in the system. How do I prevent this from happening so that I have one account and it doesn't matter whether I login using Facebook/Twitter?
Every time a user login using Facebook I am as well creating an internal account, with the Facebook username and Facebook id as password. The same thing when I login using Twitter I am creating an internal account with the Twitter user name and id as password.
An idea came in my mind to solve this:
When a user logs in using Twitter check the name and email if a user with that information already exists in the database. However, the name and email they use in both Facebook and Twitter might not be the same, so this might not work all the time.
You can't make this work with your current flow (when the user logs in then logs out again). Instead you should allow a user to login with either their Facebook or Twitter credentials and then, whilst they're still logged in, get them to associate their account with their other service with that user.
So, the flow would be something like:
New user arrives at site User logs in with Facebooks oauth2
mechanism
Your server receives their FB ID and generates a new user
in your systems. Stores their FB ID against that user.
You prompt
the user to add their twitter auth credentials. User logs in with
Twitter oauth2 mechanism
Your server receives their twitter ID,
checks to see if a user is currently logged in with your
application. Because there is, you save the twitter ID agains the
current user.
Later, the user can log out and then log in with either service.