I've implemented the Facebook account kit as an auth method for my web app the the workflow is pretty clunky. The email auth workflow ends up with the user opening a new tab, clicking login and ending up on the same, blank page.
There doesn't seem to be any way to close the tab after auth, or redirect to the app. I was wondering if anyone knew of a way to make this more seamless. Any way to redirect the user, or close the page, or add text that told the user what is going on?
There is now a redirect URL that can be used in Account Kit web email flow. This URL needs to also be added to the Account Kit app settings on developer.facebook.com. API Reference: https://developers.facebook.com/docs/accountkit/webjs/reference
Related
I want to open, from an iOS app, a web page that requires authentication in order to get to that page.
I googled a little bit and I believe I need to use WebKit and Javascript injection, but I am not sure and I have never done something like this, so every bit of information is welcomed or pointing me in the right direction.
I will give an example that I hope will make things more clear(I don't actually want to open facebook, it's just part of the example):
Is it possible to do the following scenario? And if yes, how?
Open a web page from an iOS app, for example: "https://www.facebook.com/profile" without having to go through the login page? I do have the user credentials(username and password), as the user is already logged in with those credentials in the iOS app, but the requirement is to not go through the login page, but to go straight to the profile page.
In general the answer is: no. Even if the user is already logged in and has a valid authentication token that token may only be valid from within your app and not from within the browser. And the login form may be protected by something like a captche preventing you from automatically logging someone in.
There certainly are situation where it is possible: For example if the tokens are not scoped to your app you can try passing them along. Or there is an actual API that you can call with the token that logs the user into the website on the website, etc. But those depend on the specific target website or wether you can control that target website and can add this functionality.
I am writing a Reddit client that uses OAuth to authenticate the user. One of the features I would like to implement is the ability to use multiple accounts simultaneously. This requires the user to authorize my client on each account they want to use. The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
Is there a way to force the user to re-enter their credentials? I would rather not have to put some kind of disclaimer on my Add Account screen that says "Please log out of Reddit in any open browser windows".
I tried opening the Reddit login page in a WebView so the request is sandboxed, and while that worked, it gives the user access to the entire login page (including all the links that navigate to elsewhere on the site). I don't mind that experience when I'm popping an external browser, but in an embedded WebView I really just want to present a username and password box along with the OAuth validation prompt.
Note: I do kind of prefer the embedded experience because it doesn't interfere with the users existing browser cookies, I just don't like how cluttered the login page is this way and I'm not sure how to prevent the user from navigating away from login. Also, for completeness, this is a UWP app, though this problem is largely technology independent.
The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
It may be caused by the authorization server. If so, we can not do anything in our client app.
But if it is not the server issue, in UWP, there is a WebAuthenticationBroker class witch can help you to authorize your app to access the user info from Resource server by getting a token. You can try to use the class to implement OAuth authorization. You don't need to use the in a WebView so that you can authorize your app with multiple users if you can manage all the user with the token properly in your code logic.
See the Web authentication broker topic and the sample to learn more details.
I am using omniauth-facebook and omniauth-twitter gems to enable log in via Facebook, Twitter.
Everything works fine, I am able to authenticate user using OAuth. The BIG problem here is that when user is signed out from my application, it doesn't log out
from the social site that they authenticated from, which is dangerous.
I would like to add a functionality that will destroy the session in both places i.e, my application and the corresponding social site.
How do I do that?
Is it possible using the omniauth gems that I am currently using? Or is there an alternative gem/API available to achieve this?
It seems to me that the problem is we don't know the user's intent. If the user logs out from your app and they don't have other tabs open with Facebook and then they walk away from the computer thinking they're all done but leave the browser open, then yes, that would be bad. On the other hand, if they have another tab which is on Facebook, if they log out of your app and then switch to the other tab expecting to carry on using Facebook, they'll be annoyed. You could argue that annoying people is better than leaving them logged in to Facebook unwittingly - I'd generally agree!
I don't know of a nice/official way to do this if you're handling the login flow server-side. Some suggest building a normal Facebook url - see https://stackoverflow.com/a/8765863 - and I guess you could redirect to that and make it redirect back if that approach still works (it's an old answer), but it feels brittle as the user implies.
If you're using the javascript api, there's the FB.logout function:
https://developers.facebook.com/docs/reference/javascript/FB.logout/
and/or the auto-display of a logout button instead of the login button using the auto_logout_link parameter:
https://developers.facebook.com/docs/plugins/login-button/
One option which covers both user intent scenarios is to have your normal logout button which obviously kills your app's session and when they click it, redirect to a page which has a "Logout from Facebook?" button - perhaps using the javascript login button with the auto_logout_link parameter. Then they can logout from Facebook if they're done with the computer, or choose not to click it if they have Facebook open in another tab and want to continue using it.
As I'm sure you know, omniauth-facebook supports both server-side and client-side login flows.
I'm not sure if an equivalent is possible with omniauth-twitter - I don't have experience with it.
I have a test users page for my site which loads a simple grid of 4 buttons, which, when clicked, launch their associated Facebook test user login_url. I'm obtaining these via the PHP SDK and they work great...
Except when the cookies are cleared in Safari (mobile and desktop)... In this case, the test user login_url takes me to a Facebook login page where I'm prompted to login.
If I clear cookies and visit the plain old www.facebook.com homepage first and then navigate to my site, it works fine.
I understand that the 3rd party cookie setting would prevent me from loading this login_url successfully in an iFrame, but I don't understand why it doesn't work when I actually try to follow the link.
Is this a bug? Are Facebook test users a rather unpolished developer feature?
Disclaimer: I work for Facebook, but I am not on the Platform team, so my knowledge on this topic isn't that much more than a regular developer.
The login_url mechanism is not a full blown secure login mechanism. I would venture to guess that it switches the identity of the currently logged in user from the regular user to the test user. However, if there is no currently logged in user, it can't switch the identity, and therefore needs to ask you to login.
However, test users do have a user ID and password (which were returned as a response to the create API) that you could use to go through the standard Facebook login procedure. Note though that as far as I know, currently there is no automated method of loggin a user using the user ID/password - they are intended for manual logging in scenarios.
There must be an easy answer to this one....
I am trying to integrate my latest IOS App to Facebook. I have not used Facebook before, so just set up a "company" page with basic information on my firm.
I'm following all the Facebook links i.e. https://developers.facebook.com/docs/mobile/ios/build/
But I cannot get beyond Step 1 (LOL). Whenever I click the link "Step 1: Registering your iOS App with Facebook," it keeps taking me to my company's Facebook Admin screen!? I cannot find a way to register my App off this screen. Where is the "Add new app" link??
I'm going in circles. Help appreciated.
It's not possible to register an App under a Business account, and you have to create (or lend) a personal account. And keep in mind: Facebook frowns upon incorrect information, so should be a legit person or your account will be suspended when (not if) they find out.
Secondly you have to authorize your Facebook account. For example: by entering mobile phone no. and entering code from a text FB will send you (more info: http://www.facebook.com/confirmphone.php) or entering CC information (more info: https://secure.facebook.com/cards.php)
When you (finally) have an authenticated account:
https://developers.facebook.com/apps Is the location you should be looking at.
Over at http://developers.facebook.com/docs/opengraph/tutorial/ Step 1 describes the creation of a Facebook App. (rather simple, by clicking on "Create New App")
Hope this helps! Good luck!
I believe the problem is that you are attempting to create a Facebook App with your "page user". IE you clicked "Use Facebook as..." and clicked on one of your pages.
You can not create an application in this way. Applications must be created by "real" users. You're going to want to follow that tutorial you posted to and use your user.
If you are hesitant to use your own account, ask your boss to use his or request from your clients login credentials to open the application on their account.
The reason behind this is so that Facebook can track "bad" applications back to real people, people who had to verify their account by submitting a mobile phone or credit card number.