We are integrating an application as a facebook app at work. I want to be able to detect whether the user has logged in to facebook, and if not, to prompt for authentication.
So far we have successfully used the facebook SDK and the login functionality it provided. However, this causes an authentication popup window to be created by our application, and it is being blocked by most of the browsers, so our priority task is to re-implement the authentication logic not to use popups.
According to the this tutorial from the facebook documentation it could be done either by using event subscription for user status change requests (which did not work when the user is logged out) or by obtaining access token. The problem is that the token is returned as request parameter to the top window (the url I specify as a return url after the user authenticates). Since some cross-domain and browser restrictions exist, I am unable to use client scripting to obtain the value, and I am stuck.
Related questions here have been asked and the common issue is that most apps are being ran on localhost. However, the case with our app is that we have deployed our app to local webserver, that is exposed by a public domain, but still has the cross-domain restriction issues. It is being referenced by its public domain name within the facebook app configuration. I am completely confident in that the domains are fully accessible from outside.
In general, our case is that we would like to host the app while it is being used by facebook users. Perhaps this approach might be incompatible with our requirement? Is it possible to configure cross-domain communication to avoid the issue? Are any other ways to do avoid facebook login popups?
First of all, default settings for popup blockers in modern browsers are so that they only block popups that are called without user interaction. If you call FB.login automatically on page load, it is likely to get blocked. But if you offer a link/button to the user saying “log in here” and only call FB.login on click on that link/button, then the popup is rather likely to be shown and not blocked.
If you are not willing to do it that way – then your other option is to use the server-side auth flow. You can just redirect the user to the auth dialog, which will happen in the same window, and he will be directed back to your app afterwards.
Related
I have .net web site which designed for working as standalone application. Due to one issue I was made to perform login flow to Facebook manually instead of calling FB.login(from FB javascript sdk). And because of this I am not able to call FB.logout (because in this case another issue appears).
Facebook support advised me this:
"In this case, you should manually clear the user's logged in session, by clearing any stored cookies, or removing any access tokens or user information stored on our end. You can refer to this page for more information on building login/logout flows manually: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/#logout"
I didn't get this answer. How to realize manually logout workflow?
And I didn't find any examples.
You can check what the PHP SDK’s getLogoutUrl method does here, https://github.com/facebook/php-graph-sdk/blob/5d0c4865e80e231d48a4571841bd018828fe58e1/src/Facebook/Helpers/FacebookRedirectLoginHelper.php#L156
Basically it just calls https://www.facebook.com/logout.php with two parameters:
next is the redirect URI the user should be redirected back to after logout; it needs to be within your app domain
access_token is the valid user access token for the current user of your app
The Facebook Platform Policies section 1.6 clearly states
Your website must offer an explicit "Log Out" option that also logs the user out of Facebook.
The Login Flow for Web without Javascript SDK says on Logging people out
You can log people out of your app by undoing whatever login status indicator you added, for example deleting the session that indicates a person is logged in. You should also remove the stored access token.
On the other hand the Login Flow for Web says about Logging people out
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
So in my understanding the Login Flow with JS SDK does what the policy says, it logs the user out of Facebook as well. How do I implement the Login Flow without JS JSDK correctly, such that i do not violate the Facebook Platform Policy? So far i don't see that the Graph API offers a similar functionality.
That should be easy, looking at the PHP SDK’s method getLogoutUrl, that creates an URL of the following scheme:
https://www.facebook.com/logout.php?next=FOO&access_token=USER_ACCESS_TOKEN
For FOO you just place the URL of your website where you want the user to be redirected to after they are successfully logged out of Facebook (don’t forget to properly URL-encode that value), and USER_ACCESS_TOKEN should be self-explanatory. (You need an active user access token to log the user out of Facebook – obviously, because otherwise every site on the web could just redirect me to this address and log me out of Facebook, without me actually wanting that to happen.)
I have an application which asks for a registration through facebook but before a user can proceed to the registration, the system should first determine if there is an active session. If a user is logged in to facebook, it should then automatically logout for a fresh start.
But here is where I'm stuck. The SDKs only let the user log out from facebook if he is connected to your app. It uses the app's access token. But what if he is still not registered to your app? Their log out means to log out from your app, and not really from facebook.
My requirement :
1. How can i log out from facebook.
2. How can i clear the browser cookies?
Not on a specific app but the whole facebook session.
[from comments] But to use the getLogoutUrl() function, the user has to be connected to your app. What I need is to logout from the whole facebook and not just from the app
If the user is connected to your app, then the URL provided by the getLogoutUrl method does that – log the user out of your app (web-app) and out of facebook.com.
If the user is not connected to your app however, you don’t have an active user access token – and then logging out of Facebook is not possible. The obvious reason being that if it was, every website that I visit could log me out of Facebook in a “drive-by” manner – without me actively wanting that, so people would get annoyed quite quickly.
If a user is logged in to facebook, it should then automatically logout for a fresh start.
If this is a security consideration, then you are in fact looking for re-authentication, which can be done using the auth_type parameter, quote from docs:
In apps where security is very important, you may want to double-check someone's identity - perhaps before they make a purchase within the app, or use it to access some sensitive personal data.
To prevent situations where a user could leave a device logged in or man-in-the-middle hijacking of the user session, re-authentication forces a person to re-enter their Facebook password before they can continue to use your app.
Be aware to use the server-side Auth flow though – because in the client-side flow, using the JS SDK, there is a bug that allows the user to bypass re-entering his password by simply closing the popup, which is still open: https://developers.facebook.com/bugs/248632218597467 (Has been assigned Priority: High, but received still nothing more than a “we will follow up” response yet.)
Use the logout.php url.
https://developers.facebook.com/docs/reference/php/facebook-getLogoutUrl/
Basically,
http://facebook.com/logout.php?next=YOUR_NEXT_URL_FOR_LOGOUT&access_token=USER_TOKEN
1) logging out from facebook by using
facebook=>getLogoutUrl();
2) clearing the session by using :
$facebook->destroySession();
example:
Log Out
logout.php page codes as follow:
<?php
require 'facebook.php';
$facebook->destroySession();
header( "location:index.php" );
?>
TL;DR version:
Can you authenticate with Facebook without having a callback URL for a web application since the web application isn't actually running on a server.
Full explanation:
I'm working on building a connectedTV platform application where the "app" itself is a bunch of HTML/JS/CSS running locally (like File -> Open on your desktop browser) and I'd like to integrate Facebook into this.
The problem is that all of Facebook's OAuth calls for the web require you to have a callback URL to redirect the user to in order to complete authentication. Here's the gotcha -- there is no URL for this application -- it's a locally running webpage on the device.
I know this is what out-of-band authentication was designed for, but I can't seem to find any documentation on how to use this (or how to do a non-callback OAuth flow) with the Facebook OAuth system.
You're describing desktop authentication or any situation where you are authenticating to FB without a server. The redirect URL you pass to the OAuth dialog is https://www.facebook.com/connect/login_success.html When the browser redirects you can get the access token. You can read all about it in the FB documentation, way at the bottom in the Desktop Apps section (https://developers.facebook.com/docs/authentication/)
Just reread your question and since the application runs inside a browser you will need to open another window to authenticate and get the access token from that.
If you're doing HTML/Javascript, use their Javascript SDK. You can log the guy in simply by using FB.login and getting the access token from the callback from that.
I really don't think this is directly possible. Unless there is something totally undocumented, Facebook has no mechanism to send authentication data except by loading a url. I'm sure it's meant at least partly as a security measure, functioning as sort of a "whitelist" of where auth data will be sent.
The only way I can think of for you to work around it might be to set up a url on a server somewhere that could answer the redirect and store the auth data, and have your client-side code poll that server to get it. Kind of a proxy authentication service, in effect. You would probably have to open a second browser window with the Facebook auth screen in it, but in theory it could work.
I have a Facebook Connect app that I monetize using Google AdSense. I want to be sure that I am not leaking any Facebook user information such as the Facebook UserID number or the access token (which has the UserID in it).
AdSense is perfectly legit and within Facebook policy for Connect applications. I just need to be sure Google cannot see the information that identifies the user.
I was well aware of these requirements when I designed my application, and thought I had it nailed, but then I received one of the famous automated warning emails from Facebook stating:
"Our automated systems have detected that you may be inadvertently allowing authentication data to be passed to 3rd parties."
it also stated:
"In every case that we have examined, this information is passed via the HTTP Referer Header by the user's browser."
Again, I was already familiar with this leakage vector, which happens when Facebook puts the access token into the querystring when it redirects back to your app after user authentication. I already have a design in place where I handle this through server-side OAuth 2.0 redirection, obtaining a "code" and exchanging it for an access token. This method is described here, under server-side authentication: https://developers.facebook.com/docs/authentication/
In my app, I do the code-for-token exchange in a separate ASP.NET MVC controller that has no views, so there is no Adsense or any 3rd party resources included. So I am certain that all of my header referer field contents and querystrings are clean and contain no user data.
Given that I received the email notice from Facebook however, and don't want my app and the AdSense money faucet turned off, I am now paranoid that there is some other place I am leaking data. Then again, the email says my app "may be" leaking information (why oh why can't they just tell me what they saw, or at least be certain it is leaking rather than it just "may be" leaking), and it says every instance was due to the referer/querystring, which again I am certain (having done Fiddler tracing) my app is clean.
I see only one possible way the info could be leaking, but I'm not sure if it is a real risk or just a lack of understanding on my part of what exactly AdSense (and Google Analytics) can see from my app's content on a page that requires the user to be authenticated.
I have a view (page) where I put the access token into a hidden form field. It is put there when the page is initially served up (after the user has been authenticated), and then subsequently updated via Javascript (using the Facebook JS SDK) so when the user posts the form back to the server, I get an updated access_token if it has changed. The access token can change because I use the Javascript SDK to prompt for additional permissions on that page, including in some cases the offline_access extended permission. Getting offline_access will generate a new access_token, one that does not expire.
This is on a page that requires the user to be authenticated to see it, so I figured AdSense cannot see the page contents. I do have the view setup to render in a generic fashion (no user info) with all of the same text if the user is not authenticated, but with the addition of a "login now" prompt, so Adsense can index the page and provide relevant contextual ads.
I am aware of the fact that Facebook just yesterday launched the new OAuth 2.0 Javascript SDK features, but can't adopt that right away as it won't work with the Facebook C# SDK I use server-side. And even with that, if I have a problem with putting the access token in the hidden form field, that problem would still be there.
In classic Facebook fashion, they give me 48 hours to fix the problem, but any inquiries via their developer support web form only result in a response that they will "do our best to respond to your specific issue within one week."
Maybe a simpler way to think of this problem is "can Google AdSense see the page contents of a page requiring user authentication?" or do they only see the header referer field from which the AdSense javascript file was loaded.
Hard too say exactly what they have detected without knowing the details of your code - but I would guess that may is actually does leak information. They would have identified a particular pattern that they know will leak, and they have spotted that pattern to exist in your app
Why don't you setup a proxy server such as squid and then point your browse to go through your squid instance for all http access. You can then look at the squid logs for all the http requests and headers for any indication of what may be leaked?
I would think you should pick an independent machine for installing squid, so an amazon micro instance may be what you need for this if you don't already have a machine available
In addition all JavaScript running on the page can see everything in the DOM and all global JavaScript variables so if you/Facebook are worried about leaking info that way you may want to store all uid inside a closure and/or run the adsense code in a iframe rather directly in the page - as a general shrift rule, you should never allow 3rd party JavaScript code to run in you page without it being wrapped in a iframe
They got back to me after a manual review of my site and said it was not actually leaking any user info. Gee thanks for the runaround Facebook automated detection systems!