I'm trying to write application for user login to website via Facebook. When user is logging in, he's redirected to http://www.facebook.com/dialog/oauth/?client_id=APP_ID&redirect_uri=REDIRECT_URL&state=STATE, then sees confirmation dialog to use permissions and all goes well. But then FB somehow remembers this application and never asks for permissions confirmation again when user opens this url. Is there any way to always show this dialog? I could do it in Twitter, but couldn't found the answer for Facebook.
If you really want this for some reason, uninstall the app from the user's account with a HTTP DELETE request to /USER_ID/permissions using your app access token.
The next time they come back they'll need to re-authorise the app.
Otherwise, no, there's no way that I'm aware of apart from the reauthentication flow to force the auth dialog to appear, but bear in mind that the reauthentication flow may prompt the user to re-enter their Facebook password even if they're already logged into Facebook, so it adds extra friction to the process
Instead of showing the Facebook OAuth dialog, you could also show the user a page on your application that has some information about the Facebook account that is going to be used (picture/name etc), to log into it. That way, if they like they can choose to log out and re-authenticate or continue knowing they have the right account.
Related
I wonder what kind of workflow other people have had when logging in with facebook.
I have an app that requires signup. People can also signup by logging in via facebook. That part has been integrated.
However, when a user signs in with facebook (which means: facebook page open and requires login), my workflow
takes the user to a screen where he needs to create a username (as having a username is required).
After the user picked up a username, then I create this new user, save the facebook token and generate a password.
Now, automatically, the user will be logged in in my app.
Next time the user opens the app, in background, I will login the user taking the email (which originally was fetched from facebook) and the password, which are stored in local storage.
But what if the user logs out or delete the app and reinstall it? I have seen that this happens some times. In that case, the workflow (if the user clicks on facebook login on my app) will take the user again to facebook. And after he logs in in facebook, he will come back to my screen where he can choose a username. This is bad. Because I already created an account for the user with the email binded to that facebook account.
Of course, I can understand that this user that logs in via facebook already has an account. But what can I do? Can I just login him in background? Are there any security implications (yeah, my app is not that sensitive, but I would prefer to use best practice).
Yes, if the user already logged in once, the expected behavior is to be logged in again on future visits to the app. If the user passed the Facebook login, you can safely assume that it is the same user imho.
First let me introduce the problem. I have site where I want to allow users to login using their Facebook account. Also I want to have possibility to post on users wall and access his email. I created Facebook app and every time not logged user comes to login page he clicks on Facebook button and gets to auth dialog of application where he must allow getting his email and on next screen allow posting on wall. To this dialog user gets with link which contains scope=email, publish_stream.
First question: When user clicks do not allow to post on wall, next time he uses this link he must again do that. Shouldn't Facebook remember this? I thought that I should not give the scope in link and use application setting where on permissions page a choose extended permissions. But these permissions are never asked for. Even when I enable referrals.
Second question: Is using FB application for this right? Should I not use fblogin?
Thank you.
When user clicks do not allow to post on wall, next time he uses this link he must again do that. Shouldnt facebook remember this?
No – because then there would be no way to ask a user for an extended permission once they’ve declined it.
Of course it might be annoying to the user to see that dialog asking for posting permission every time again when he just wants to login to your page.
That’s why Facebook themselves advise you to only ask for permissions you actually need for the current task. To provide the ability to log in to your site, you only need basic data and maybe email – so only ask for that, when the user is just logging in.
And then, when you come to the point where the user actively wants to share content through your app – then check if you got the necessary permission already, and ask them for it if it’s not present (by calling the auth dialog again, this time with the extended permission set in the scope parameter).
That way, it’s clear to the user why he gets asked for that permission at this point, and he doesn’t get hassled about it time and time again if he just only tries to log in.
I thought that I should not give the scope in link and use application setting where on permissions page a choose extended permissions. But these permissions are never asked for. Even when I enable refferals.
For these settings to have any effect, the connect to your app must happen in a way that actually triggers Authenticated Referrals. Doing the login by yourself in your app logic does not trigger this way of authentication.
How can I login to facebook without showing permission window. ?
I never want to show that window in my web.
If you mean that you're using OAuth 2.0 in your app to authenticate your users using facebook, then you can't. It's a necessary part of the process.
You can consider reducing the permissions your app requires to improve your bounce rate.
If you want a user to authorise your application then you have to show the authorisations screen as either a page that you redirect to or a pop-up, otherwise it is impossible for Facebook to securely verify the user.
If you want Facebook functionality without having the user grant permissions you are restricted to certain social plugins like the share and like buttons, but be aware that if the user is not signed in to Facebook in another tab they will still see a pop-up requesting that they sign in.
I'm implementing facebook connect for my iPhone app. The current facebook SDK would keep you logged in unless you log out explicitly, which is fine with me as stay logged in is actually the requirement. However, I don't want the users to go press the log in button if they never logged out. In this case, I won't be able to grab the facebook object, which I'll need in other parts of my app. So I was planning to simulate the log in event anyways, but that led me to another problem: even though permissions are granted to my facebook app before, it will still pop up the authorization dialog to my users saying they have granted permissions to my app. My question is, how do I hide this? Or, is there a way that I can grab the valid facebook object without calling authorize on my facebook object when my app is restarted and the user stayed logged in?
Any suggestion would be appreciated.
You could redirect the user to https://www.facebook.com/login.php?api_key=<YOUR_APP_ID>. (This is the URL that the PHP Facebook SDK returns when you call getLoginUrl()).This will avoid the dialog and still allow users to authorize your app.
I have added Facebook Connect to my application via the JavaScript SDK. I'm using Spring Security (this is a grails app) and I have added code that when someone clicks the FB Connection button to login, I manually authenticate them against their user account and everything gets wired up appropriately. I have 2 questions:
When a user first logs in with FB and I don't have an account for them, I create an account for them with their FB info, generate a random password, and use their email for their login name. If the user then uses the regular login form instead of the FB button to sign in, how do I sign them in to FB as well?
Every time the user clicks the FB Connect button, the popup window shows up. If they are already authenticated, it just goes away and then my web site redirects correctly. How do I keep the popup window from showing up in this case?
Thanks
To you first question, the user might be connect on Facebook when landing on your page after registration. So you can rely on the Javascript SDK to help you out.
See here: http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus
To your second question, I think you can't, except you might get a work around if you use the Javascript SDK mentioned for the first question!
This is how I did it for moviezine.se and it works just fine, but it might be a little irritating to be logged in without asking for it when you come back a few days later. Then there is the use case of the logout: if you are automatically logged in, are you automatically logged out too; and if not, what if your Facebook session is replaced by your girlfriend's one who is also a user on your site! :)