I'm writing a Windows Phone 7 app and have gotten Facebook login working using the C# sdk, but logging out has proven interesting. I've read this post:
Cannot Logout of Facebook with Facebook C# SDK
which seems to mirror the FB docs which indicate I should navigate to
https://www.facebook.com/logout.php?next=[redirect_uri]&access_token=[token]
However, that doesn't work and silently redirects me back to the facebook home page.
My best guess at the moment is facebook doesn't like the "next" URI I'm providing. I updated my FB app settings but either they haven't propagated yet, or something else is still not working.
I've seen posts recommending using InternetSetOption, but that API is not available on the phone.
In my application flow, logout leads to navigating to a different silverlight page in my app, so I really don't need the browser redirect for my purpose anyway, so I could just "forget" the access token without actually telling FB to invalidate it, but that seems weak and insecure.
So, while I wait longer to see if the app domain changes propagate across FB's servers and solve the problem I have a different question:
Why should the Facebook APIs care whether I provide "next" or not? Shouldn't I just be able to tell them to invalidate a token and have it happen?
Is there a logic piece I'm missing here?
Thanks!
Update: I wrote an open-source Facebook login/logout control for WP7 that allows this (check the example project). It works by essentially using the web browser control to navigate to the logout page and then submit the logout form by injecting javascript into the web browser control. The idea came from this blog post.
The closest thing would be to revoke the extended permissions by issuing an HTTP DELETE to /me/permissions as documented here. Simply forgetting the auth token isn't a bad option either as the access tokens are generally only good for an hour or two unless you asked for offline_access. And if a user is overly concerned, they can remove your application on their settings page on facebook.com.
Related
I have .net web site which designed for working as standalone application. Due to one issue I was made to perform login flow to Facebook manually instead of calling FB.login(from FB javascript sdk). And because of this I am not able to call FB.logout (because in this case another issue appears).
Facebook support advised me this:
"In this case, you should manually clear the user's logged in session, by clearing any stored cookies, or removing any access tokens or user information stored on our end. You can refer to this page for more information on building login/logout flows manually: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/#logout"
I didn't get this answer. How to realize manually logout workflow?
And I didn't find any examples.
You can check what the PHP SDK’s getLogoutUrl method does here, https://github.com/facebook/php-graph-sdk/blob/5d0c4865e80e231d48a4571841bd018828fe58e1/src/Facebook/Helpers/FacebookRedirectLoginHelper.php#L156
Basically it just calls https://www.facebook.com/logout.php with two parameters:
next is the redirect URI the user should be redirected back to after logout; it needs to be within your app domain
access_token is the valid user access token for the current user of your app
The Facebook Platform Policies section 1.6 clearly states
Your website must offer an explicit "Log Out" option that also logs the user out of Facebook.
The Login Flow for Web without Javascript SDK says on Logging people out
You can log people out of your app by undoing whatever login status indicator you added, for example deleting the session that indicates a person is logged in. You should also remove the stored access token.
On the other hand the Login Flow for Web says about Logging people out
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
So in my understanding the Login Flow with JS SDK does what the policy says, it logs the user out of Facebook as well. How do I implement the Login Flow without JS JSDK correctly, such that i do not violate the Facebook Platform Policy? So far i don't see that the Graph API offers a similar functionality.
That should be easy, looking at the PHP SDK’s method getLogoutUrl, that creates an URL of the following scheme:
https://www.facebook.com/logout.php?next=FOO&access_token=USER_ACCESS_TOKEN
For FOO you just place the URL of your website where you want the user to be redirected to after they are successfully logged out of Facebook (don’t forget to properly URL-encode that value), and USER_ACCESS_TOKEN should be self-explanatory. (You need an active user access token to log the user out of Facebook – obviously, because otherwise every site on the web could just redirect me to this address and log me out of Facebook, without me actually wanting that to happen.)
We are integrating an application as a facebook app at work. I want to be able to detect whether the user has logged in to facebook, and if not, to prompt for authentication.
So far we have successfully used the facebook SDK and the login functionality it provided. However, this causes an authentication popup window to be created by our application, and it is being blocked by most of the browsers, so our priority task is to re-implement the authentication logic not to use popups.
According to the this tutorial from the facebook documentation it could be done either by using event subscription for user status change requests (which did not work when the user is logged out) or by obtaining access token. The problem is that the token is returned as request parameter to the top window (the url I specify as a return url after the user authenticates). Since some cross-domain and browser restrictions exist, I am unable to use client scripting to obtain the value, and I am stuck.
Related questions here have been asked and the common issue is that most apps are being ran on localhost. However, the case with our app is that we have deployed our app to local webserver, that is exposed by a public domain, but still has the cross-domain restriction issues. It is being referenced by its public domain name within the facebook app configuration. I am completely confident in that the domains are fully accessible from outside.
In general, our case is that we would like to host the app while it is being used by facebook users. Perhaps this approach might be incompatible with our requirement? Is it possible to configure cross-domain communication to avoid the issue? Are any other ways to do avoid facebook login popups?
First of all, default settings for popup blockers in modern browsers are so that they only block popups that are called without user interaction. If you call FB.login automatically on page load, it is likely to get blocked. But if you offer a link/button to the user saying “log in here” and only call FB.login on click on that link/button, then the popup is rather likely to be shown and not blocked.
If you are not willing to do it that way – then your other option is to use the server-side auth flow. You can just redirect the user to the auth dialog, which will happen in the same window, and he will be directed back to your app afterwards.
there is an facebook application, you can see it there:
http://www.facebook.com/tdmtravelclub?v=app_197602066931325&app_data=wlbb%3D1
You have to like it and than you can play a game (you don't have to i just explain the functionality of it).
This application isn't forcing you to login (i think the authorization is automated), but they can query the user data (they see if you liked the site).
I lookd for a similar authenthication method for fb apps but i didn't found one.
The only thing you know about a user (who has not authorised your application) within a tab application is if he is a fan or not. Facebook sends this information via the signed request.
PHP SDK Demystified – What is Signed Request?
Authentication within a Page Tab
SO Question including signed request
I'm getting into the grimy guts of a problem that has turned out to be rather cumbersome so I turn to you, the experts, for help.
what I've done so far: I am building an iphone app with phonegap. I am using the provided fbconnect (in phonegap github) code which gives some rather convenient javascript based example code to build things like a comment and check in request. I have comments and checkins fully working how I want, and I have an auth_token that I am successfully toting around.
enter the like button: I understand that you cannot make like requests via xmlhttprequest in the same way that you can with comments for example, so I am stuck using an iframe (unless there is a better alternative).
what I need help with: right now, since the iframe is triggering its own login, I have the situation where the user might log in to like, and then have to log in again to comment which is not a viable. Is there a way to pass a valid auth token to the iframe so the user wont be prompted to log in again or some other sneaky way to authorize through the childbrowser solution that I have currently implemented and then share the auth token to the rest of the app?
notes: I havent passed an app ID to my auth implementation but I noticed that the iframe does pass an app ID. would including an app ID in my auth request somehow link the logins so facebook could recognize that the user is already logged in through the app?
I can't think of any specific code to include since this is more of a general question but if there is anything you'd like to have a look at please let me know.
The short answer is no, mainly for security and spam prevention. The only way to have the user like your page is rendering the iframe code in a webview. This requires a traditional email/password login with Facebook. Using the graph api is the only way to use things like commenting and checkins, and this requires a user to login via a separate mechanism and then subsequently approve your app. There is no back door logging in mechanism.