I'm using https://graph.facebook.com/oauth/authorize?client_id and when the user logs in and accepts the app it goes on to the next page and then finally logs him out using his access token.
My problem is when the user signs in and denies the app. How do you log him out if the access token was never returned?
I've tried the javascript but no luck with that.
Thanks.
You can't force user to logout when they didn't allow you to do so.
Facebook will redirect any user denying the app back to your login url with an error specified:
If the user presses Don't Allow, your app is not authorized. The OAuth
Dialog will redirect (via HTTP 302) the user's browser to the URL you
passed in the redirect_uri parameter with the following error
information:
http://YOUR_URL?error_reason=user_denied&
error=access_denied&error_description=The+user+denied+your+request.
http://developers.facebook.com/docs/authentication
Related
I am confused as to what does the facebook logoutUrl does in the facebook integration?
Does it destroy the current session?
Would session_destroy do the same thing?
Thanks!
When we are integrating facebook, on success of the login of a user, we need to create login session by using the user details provided from facebook and the logout is actually our application logout, not the facebook logout.
According to Facebook Doc:
This method returns a URL that, when clicked by the user, will log
them out of their Facebook session and then redirect them back to your
application.
It will also invalidate the user access token so that you will no longer be able to call any graph APIs against that user.
when we loggin, we get access token , after we logout , access token also get destroyed.
so we have to logout to maintain session management in our application.
I have created a facebook connect login script in addition to the custom login script my site uses, which records FB user id and stores in my DB. It uses facebbok.php scripts provided by facebook and JS based popup login dialog (oauth).
I just authenticate user from FB account and do my own cookie based login on the basis of matched fb user id.
Now the problem is I can get logout url from php using getLogoutUrl() but how to logout silently without changing url in address bar using my logout.php? I tried destroySession() but it didnt logout fb user.
If user dont logout using getLogoutUrl() then next time when some other loggedin FB user tries to use fbconnect login the FB dialog box gives error "An error occurred. Please try later". Then I have go back to IE and logout that FB user from there and it works.
You can't "silently" logout a user using Facebook API. What you can do is test if the user is logged using getLoginStatus
With the new Authenticated Referrals in the new FB auth system, the user logs in before even hitting my app.
My question is, is there any way to detect when a user has just come from one of these authenticated referrel dialogs? For example, by specifying the redirect_uri on them and appending some GET params.
If you go to https://developers.facebook.com/apps/YOUR_APP_ID/summary you can set the domain and the website of your application.
Facebook, for security reason will only redirect to the website you set here passing you some parameters in the HTTP GET url (for example the access token just generated for that user), to decide which of these parameter you want to receive you have to go to settings -> auth dialog then at the bottom of the page Authenticated Referrals -> Auth Token Parameter.
EDIT:
If you want to be sure that an user just used the auth dialog you can use a simple workaround: read the access token from the url, then check if this is the 1st time you see this token, if so you can test the validity of the token by performing a simple operation that the particular user accepted you (or better your facebook app) can do with his profile.. The easiest way is probably to send a request to:
https://graph.facebook.com/me?access_token=...
If token is valid then it IS reliable.
I've been working on this problem myself. It would have been a lot better if Facebook just passed auth_ref=true or something. Anyway, I came up with a system that seems to work for me using cookies.
I already have a page that I use as the redirect url for the fb auth dilaog. This page initializes the user and sets a cookie. If that cookie is not present and the signed request has a token, then I redirect to this page. I can't tell if the user either came from an authenticated referral or some other path like a bookmark, but it doesn't matter for my purposes.
You can see the details at:
http://developsocialapps.com/authenticated-referrals-facebook-apps/
Basically something like this:
// on somepage.php
if (signed request has token && url is not redirect page && user doesn't have cookie) {
redirect to redirect.php;
}
// on redirect.php
set cookie;
redirect back to somepage.php
As I understand it, this is the basic process for new Facebook iframe canvas apps using the OAuth2 API in a nutshell:
Redirect to (or have user click link to) app's authorization URL
User authorizes and is redirected to your callback URL
Callback uses "code" parameter to get a access token
Access token is used with Graph API to pull or push information
The problem is that access tokens expire relatively quickly and need to be "refreshed", so my questions are 1) how do you detect that the token has expired aside from trying to use it and simply getting an error? and 2) what is the best practice for obtaining a new token?
Currently, I just detect that there was an error trying to get the user's information with their access token, then redirect to the authorization URL again -- since they already authorized the app a blank page flashes by and they are redirected back to my app callback where I get a fresh token. It's so clunky I can't believe this is the proper method.
The only way to tell if a cookie is valid is to use it and catch the error if it is expired. There is no polling method or anything to check if a token is valid.
To get a new token, simply redirect the user to the authentication page again. Because they have already authorized your app they will instantly be redirected back to your app and you will have a new token. They won't be prompted to allow since they have already done that.
In short, there are no tricks to this. You are already doing it correctly.
Recently, facebook has made some changes to access tokens which allows them to be refreshed periodically.
https://graph.facebook.com/oauth/access_token?
client_id=APP_ID&
client_secret=APP_SECRET&
grant_type=fb_exchange_token&
fb_exchange_token=EXISTING_ACCESS_TOKEN
For more details, check here: https://developers.facebook.com/docs/roadmap/completed-changes/offline-access-removal
//you just need more step because the access token you are getting will expire in 1 hour
//you can overcome this in step 5
1-Redirect to (or have user click link to) app's authorization URL
2-User authorizes and is redirected to your callback URL
3-Callback uses "code" parameter to get a access token
4-Access token is used with Graph API to pull or push information
5-exchange short-lived access token you just got with 60 day access token
https://graph.facebook.com/oauth/access_token?client_id=APP_ID&client_secret=APP_SECRET&grant_type=fb_exchange_token&fb_exchange_token=EXISTING_ACCESS_TOKEN
6-after 60 day the user must login again to your app and the steps from 1-5 will be repeated.
--the real problem you will face is how to make the user visit your app page again
Facebook has removed the feature of refresh the access token on the "behalf of" mode. The best and easy way is to redirect the user to facebook login page to re-oauth the app.
Find facbook doc here
if user has already authorized your application and access token expired. you can redirect user to authentication page again. but oauth dialog doestn't show because user already authorized your application. he will redirect to redirect_url parameter you used.
I'm writing a Windows Phone App and am using the OAuth interface.
When I navigate to the auth url the first time it shows the login UI. Subsequent times I'm redirected directly to my facebook app page with showing the login UI. Presumably because the login is cached in a cookie or something. All good so far.
The problem comes in when I need to switch users. Is there a way to force the facebook oauth url to clear previous creds and show the login screen?
Thanks!
Log the user out of Facebook using the url below:
https://www.facebook.com/logout.php?access_token=ACCESS_TOKEN&confirm=1&next=REDIRECT
Now, in order to log a user out of Facebook you need to use this url:
"https://www.facebook.com/logout.php?next="+your_site_url_registered _on_fb+"&access_token="+accessToken