How can I get facebook to prompt for authorization for my app every time? - facebook

I'm writing an app that will allow a user to log in to multiple facebook accounts. Basically I'm just going to store the authorization token for each account and use them as needed, so the authorization is just to get that token, not to actually log the user into facebook. As such, I want the user to have to enter their credentials every time, even if they're currently logged in to facebook. I authenticate the accounts like this:
https://graph.facebook.com/oauth/authorize?
client_id=...&
redirect_uri=http://www.example.com/oauth_redirect
How can I tell facebook to authenticate every time? I'd also like to remove the "remember me" option, so that they aren't logging into the browser with the account that they enter here.

There is a parameter that you can pass to force authentication: auth_type=reauthenticate. For example: http://graph.facebook.com/oauth/authorize?client_id=184484190795&redirect_uri=https%3A%2F%2Fwww.fbrell.com%2Fecho&auth_type=reauthenticate.
Edit: There is documentation for this here: https://developers.facebook.com/docs/reauthentication/.

You can logout the user using FB.logout:
https://developers.facebook.com/docs/reference/javascript/FB.logout/
Caveat: it is against Facebook policy for users to have more than one profile.

Related

Hybridauth: How can I allow user to choose Facebook account after they log out?

I'm using HybridAuth with Laravel. How can I allow the user to choose a (different) Facebook account after logging out of my UI?
Currently, when the user logs out then in, it auto logs them into my site because they have received a token previously. They are not given an option to log into a Facebook account. Therefore, the user can only use one Facebook account with my site, ever. I tried deleting session data as well as $hybridAuth->logoutAllProviders(); and it still happens.
I could set the Force Web OAuth Reauthentication setting in Facebook for my app, but I don't want the user to log into Facebook every time they visit my site. I would like them to be able to switch Facebook accounts they want to use with my site.
I get expected behavior when logging as a Google user. Thanks for any advice!

xamarin Auth for facebook authentication scenarios

I am developing an application using xamarin.Here I am using xamarin auth component for facebook authentication.I am able to login and get users info and able to save them in local DB.Xamarin auth component has provided option for storing account object so that when user relaunch app ,we can use that account object to login.
Here comes my question: If user changes password on facebook account from site then what should be done when app is relaunching,as stored account is local we can't use that info to login again.
Thanks.
Any suggestions are appreciated.
Actually you are supposed to use the access_token for subsequent queries towards Facebook after the first successful authentication. With OAuth, you won't store password in your app. I would expect that when a user changes the password within Facebook, the old access_token might expire. In this case, you'll have to make the user manually re-login. This is the case anyhow when your access_token expires for any reason; keep in mind that all access_tokens expire after some time.
You can easily verify if the access_token is still valid by sending some basic request in the background. If you get an autherror response, just prompt the user to login again when it makes sense in the flow of your app.

how to get an access code when a facebook user is not involved

I am the owner of a facebook like page. I want to grab the news feed using php and output it on my website. I know that I can do this using a valid access token:
https://graph.facebook.com/my_app_id_here/feed?access_token=My_access_token_here
Problem access tokens expire so I know I need to authenticate periodically to get a new access token.
This is where the problem and confusion arises for me. When I read the authentication guide in the facebook dev docs all it talks about is first authenticating the user to get a authorization code from the user and then authenticating the app using the app secret, app id and auth code fromthe user. But this doesn't apply to my situation - I never have a authorization code form the user - all I'm trying to do is access the feed from a php script running on my server....a user is never involved.
Any ideas anyone?
User has to approve your application only once, and later use they can just access your app and use it without approving
Since you are the owner of the like page, I guess you are also the administrator. What you can do in this case is create an offline access token for this (and only for that) user.
You can then use this access token for your script. No user needs to authenticate anything if you only want to grab the feed of your page with the access token of your administrator.
This token never expires except for changing the user's password or taking away permissions again. Look at this answer to see how to create such an offline access token!
It seems offline_access is no longer available. Now you only get a short-lived access_token and you can ask for a long lived one, which is also renewable. You can't get a permanent one though.

Facebook API OAuth security

I want to allow users connect to my website using their facebook account.
First, the user authorizes my application and then I get an access token. Problem is, that I'm supposed on the first time to register the user, and the next time to auto login him based on his facebook email.
How do I create a SECURE way to auto login the user?
I'm using pure javascript, but I can't find any way to create a secure mechanism.
Thanks.
Facebook should handle all that for you - when they come back to your website, they can click the 'login' button(javascript SDK) and facebook should pass you back an access token.
I may, however, have misunderstood the question.

How can I avoid asking users to login (connect) to my facebook app again and again?

I am developing and testing a facebook app for which I have granted the permissions with my facebook account. Then the app is authorized to access my info, etc. nicely. The next time I close the browser, reopen it, login to facebook successfully then access the app, facebook wants me to login to that app again. I can access the current user id, but how can I automatically authorize the app (if the user has already authorized in the past) without needing the user to press that dread 'Login' button again and again upon each session's end?
UPDATE - offline_access has been deprecated. Read this post for more details: https://developers.facebook.com/roadmap/offline-access-removal/
You will need to request a token that has offline_access so that you can use their authentication token over and over again. Then you will need to set a cookie yourself that stores something indicating who the user is. Facebook does not support a "remember me" feature in their authentication so you have to build it yourself. Store the access token in your database and set the cookie to identify the user.
Unless you are building this for a very specific reason like an app that runs on work computers only, I would really encourage you to not implement this feature. The facebook connect authorization is well understood by users and is very easy to use. You are going to get a lot more security if you make your users press the button every time. Just make sure you make this optional. You never know if somebody is on a public computer.