The instructions on using Single Sign-On (SSO) with the Facebook IOS SDK are to save the access token and expiration date in fbDidLogin and use them on subsequent calls to avoid unnecessary logins.
But what if the user logs out of Facebook outside the app (e.g. in the Facebook app or in Safari)? The app doesn't know about this, so it tries to use the saved token and expiration date, and to my surprise - they are still valid and the app can access the user's data even though the user has logged out.
Any way around this?
no, there is no way to do this. each FB login a user makes is specific to the client they logged in with. A FB login is not universal across all clients. The FB token you get from the SDK is a token for that user with your app. So if a user logs out of FB in their browser or another app, they have not logged of FB from your app so the token will remain valid until it expires or the app or user explicitly logs out from the context of your app.
Not sure why you are concerned about this. Generally you would want your users to remain logged in. If you have a reason you don't want this don't request "offline_access" permission when you authorize a FB user and you can also logout and de-authorize the user via the FB API based on whatever criteria you deem appropriate.
Related
I need to setup communication between my iOS/Android app and my PHP backend. I want to use facebook account only for logging in, there is no further communication with facebook. I have User accounts in my system and facebook_id is only a parameter to identify user.
Is it ok to verify the user by checking the token on the graph api from my backend just at the beginning and then only use my own tokens for communication or do I need to recheck if the user is still logged in on facebook from time to time (which is actually irrelewant for me as there are no fb interactions).
What else is there to consider?
Do I need a separate token for my server? Or do I use my App Secret
You should be able to use your application token.
The only scenario it might not work in is if the user deletes your app and decides to login again. From what I've read the app scoped IDs may change in this scenario.
I use the Twitter Anywhere API and OAuth to authenticate users on my website. The cookie with the accessToken expires after two hours, which is why the user needs to login and connect to Twitter regularly. The workaround would probably be to store the auth_token in a cookie and provide it the next time the user loads the page after the cookie set by twitter expired.
Now something that is not clear to me: I'm also providing Facebook as an authentification method and somehow it doesn't forget the login. The Facebook JS API doesn't store any cookies on my page, so how does it know that the user is authenticated with Facebook and my application?
are you talking about this? see the channel file portion.
EDIT: Above link has been changed. And, facebook api has changed too.
The Facebook JS API doesn't store any cookies on my page, so how does it know that the user is authenticated with Facebook and my application?
It makes a cross-domain request to facebook.com, to see if there are cookies under that domain that indicate there is a user currently logged into Facebook in some other browser window/tab.
Once it has figured out that a) there is a logged in user and b) this user has used your app before – it logs him in to your app on the fly and gives you a fresh (short-lived) user access token to work with.
So there's an app, let's say it's an app that is capable of delivering relevant news based on the user's choice done the first time he runs the app. Is there a way to post the news to the user's wall without having the user to be online and ideally as the app?
So on his/hers timeline it would look like this (edited image, not a real post from some app, it's just so you get what I mean):
When I use $facebook->api('/me', 'post'), it just creates a post as the user, which is not what I want and does not allow me to post when the user is not logged in.
You can use the server side authentication to get a long lived access token (60 days) which you can then use until the token times out. Then you'll need to have the user reengage with your app to get a new token.
You can get the same thing by using the client side authentication and then extending the token on the server side.
Another options which should work for you is to get an app access token (which does not expire) and ask the user for the publish_stream permission, then:
App access tokens can also be used to publish content to Facebook on
behalf of a user who has granted a publishing permission to your
application.
Using Facebook's iOS SDK, how does a developer figure out if a user has signed out of his/her account in either Safari/Facebook app? If a developer is saving the access token and expiration date in the app between app launches, is there any flag within the SDK to let the developer know that the phone user has actually signed out/changed accounts? I want a user of my app to have to sign in with the new account if they have changed accounts from a third party app.
The Facebook SDK has a 'isSessionValid' method that you can call, but that method's implementation only checks to see if there is an accesstoken and if the expiration date is past a certain point. It does not check to see if the user has signed off or changed accounts from a different app.
Any ideas?
The current design is that once a user has logged into an ios client app and the app has an auth token, the user is in until the auth token expires or the user uninstalls the FB app (or deletes the app from their device). Suppose you have a server involved where your ios client hands the auth token to the server (they're the same FB app). That server would never know that another FB app on that device had logged out. Your user will probably have to use the logout method in Facebook.m.
I am developing and testing a facebook app for which I have granted the permissions with my facebook account. Then the app is authorized to access my info, etc. nicely. The next time I close the browser, reopen it, login to facebook successfully then access the app, facebook wants me to login to that app again. I can access the current user id, but how can I automatically authorize the app (if the user has already authorized in the past) without needing the user to press that dread 'Login' button again and again upon each session's end?
UPDATE - offline_access has been deprecated. Read this post for more details: https://developers.facebook.com/roadmap/offline-access-removal/
You will need to request a token that has offline_access so that you can use their authentication token over and over again. Then you will need to set a cookie yourself that stores something indicating who the user is. Facebook does not support a "remember me" feature in their authentication so you have to build it yourself. Store the access token in your database and set the cookie to identify the user.
Unless you are building this for a very specific reason like an app that runs on work computers only, I would really encourage you to not implement this feature. The facebook connect authorization is well understood by users and is very easy to use. You are going to get a lot more security if you make your users press the button every time. Just make sure you make this optional. You never know if somebody is on a public computer.