I'm using OWIN with ASP.Net Identity to enable users to log in to a site using their social media credentials.
As part of this we also request extra permissions for interacting with their account.
This is working fine for Twitter and Facebook for the most part, except when trying to log out from the site when using Facebook for the log in.
If you log out of the ASP.Net app you are still logged in to Facebook. That's not a problem in itself, but when you return to the ASP.Net app you're automatically logged in using the Facebook account you used before and you're given no chance to choose a different account.
As the user you can navigate to Facebook, log out, then return to the ASP.Net app and you'll get asked to log in again, but that's not a very nice process for the user to go through. Simply explaining that to a user will be messy and there's plenty for them to get wrong (logging out in a different browser, not reading the help text, etc).
An answer on this question suggests using the javascript SDK which isn't too awful to implement: Logging out from facebook when using MVC 5 OWIN
Some of the answers say "that's how it's supposed to work", but we expect our users to be using multiple accounts with this application so a reasonable log out process is required. Also Facebook themselves say we should log people out of Facebook when logging out of our application: https://developers.facebook.com/docs/facebook-login/web#logout
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
But that bring me to the current issue I'm encountering.
I have the following Typescript/Javascript code which performs the log out:
FB.getLoginStatus((getLoginStatusResponse) => {
if (getLoginStatusResponse.status === 'connected') {
FB.logout((logoutResponse) => {
$("form[id='logoutForm']").submit();
});
} else {
$("form[id='logoutForm']").submit();
}
});
getLoginStatus returns fine saying that the user is logged in (status === 'connected') === true.
But then, when I make the logout call I can see the API returns a 302 Not Found, and the redirect points to the facebook home page.
The Facebook Javascript SDK handles this by swallowing the error and not calling the logout callback.
Why am I getting a 302 for an official API call made when I have confirmed the user is logged in?
And is there another way to achieve the log out? A server-side solution would be perfect! Although I don't want to use anything that's undocumented/unsanctioned.
Related
I did my best to find a similar problem, but I did not come across one. I speculate this error may have been introduced with Instagram recently changing its API. I'm wondering if anyone else came across the same issue.
I use instagram for authentication. The problem is that, when a user is logged in to Instagram on another tab, if he clicks the instagram sign-in button to log in to my app, he lands on the instagram authorization page and is asked to enter username and password. The problem is that instagram is supposed to auto-redirect to my app directly since the user is already logged in on the browser. But this doesn't happen. Moreover, even if the user enters wrong password or empty user name, instagram still redirects to my app with the logged in user. So the browser definitely knows that the user is logged in to instagram. I am quite sure that the problem is related to instagram, because when I change the provider settings to twitter, redirection occurs with no problem.
And this problem occurs for returning users as well.
For reference, I use rails 4 and my authentication strategy is omnioauth-instagram (no devise). I mainly followed this tutorial http://www.sitepoint.com/rails-authentication-oauth-2-0-omniauth/ for authentication. I am still in development mode so I use localhost.
EDIT: Here is the instagram notice:Instagram Platform and documentation update. Apps created on or after Nov 17, 2015 will start in Sandbox Mode and function on newly updated API rate-limits and behaviors. Prior to going Live, and being able to be used by people other than the developers of the app, these apps will have to go through a new review process. Please read the API documentation or the Change Log for more details.
I started creating my app before nov 17th.
I have an MVC 5 web app that has facebook authentication set up and working nicely. User clicks "Facebook" on the login page, signs in to Facebook and that authenticates with our web site. If the user logs out, the call to AuthenticationManager.SignOut() logs out of the web site correctly, but if the user then goes back to the login page and clicks "Facebook" again they are immediately signed in without having to sign in to facebook.
So my question is, how do I configure MVC 5 OWIN facebook login so that the user is signed out of facebook when they sign out of the web site, or to put it another way, prevent caching of the authentication for the next sign in. I don't want a users facebook login to be silently cached in case they are sharing a browser with other users.
The only way that I know to do this would be to tie an event to your log out button or link and use the Facebook Javascript SDK to actually perform the Facebook logout for you.
LogOut
<script type="text/javascript">
$(function(){
$("#Logout").on("click", function(e){
if(confirm("This will also log you out of Facebook. Proceed?")){
FB.logout(function(response) {
// Person is now logged out
});
}else{
//do not allow the link to continue and sign our of your site.
//This is optional and allows you to provide options
e.PreventDefault();
}
});
});
</script>
You could actually use the confirm dialog to ask if they want to be signed out of Facebook as well. A confirm would mean yes, a not confirm would mean no, just sign me out of your site. Again, using the SDK and a little bit of control logic should provide the results you need.
You can't. To do so would require being able to access cookies set by facebook.com which is explicitly forbidden for security reasons: you can only access cookies on your own domain. The login with Facebook is separate from your application. The user isn't truly logging into your site. They're logging into Facebook and Facebook is simply verifying the user identity with your site. If you're truly concerned you can put a message on your sign out page reminding them to sign out of Facebook as well.
You could try recreating Facebook's log out code (doing a post to the same action they use with the same data they send). But, I'm almost positive they'll be employing some sort of CSRF protection on that, so it probably won't work.
Saw this thread and wanted to add to it, to help the masses.
In the guidance, "Code! MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on" from Microsoft, it has the following section buried in it:
Logging off your App and Logging in With Another Account
If you log on to your app with Facebook, , and then log out and try to log in again with a different Facebook account (using the same browser), you will be immediately logged in to the previous Facebook account you used. In order to use another account, you need to navigate to Facebook and log out at Facebook. The same rule applies to any other 3rd party authentication provider. Alternatively, you can log in with another account by using a different browser.
So this behavior is by design.
To learn more about OWIN, hear is some good reading:
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
http://brockallen.com/2014/01/09/a-primer-on-external-login-providers-social-logins-with-owinkatana-authentication-middleware/
Have more links to share, but drats, reputation is not high enough yet. :)
Its been two years and If OpenID Connect is used, then a solution exists as
// POST: /Account/LogOff
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
Request.GetOwinContext().Authentication.SignOut();
return Redirect("/");
//AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
//return RedirectToAction("Index", "Home");
}
I have a test users page for my site which loads a simple grid of 4 buttons, which, when clicked, launch their associated Facebook test user login_url. I'm obtaining these via the PHP SDK and they work great...
Except when the cookies are cleared in Safari (mobile and desktop)... In this case, the test user login_url takes me to a Facebook login page where I'm prompted to login.
If I clear cookies and visit the plain old www.facebook.com homepage first and then navigate to my site, it works fine.
I understand that the 3rd party cookie setting would prevent me from loading this login_url successfully in an iFrame, but I don't understand why it doesn't work when I actually try to follow the link.
Is this a bug? Are Facebook test users a rather unpolished developer feature?
Disclaimer: I work for Facebook, but I am not on the Platform team, so my knowledge on this topic isn't that much more than a regular developer.
The login_url mechanism is not a full blown secure login mechanism. I would venture to guess that it switches the identity of the currently logged in user from the regular user to the test user. However, if there is no currently logged in user, it can't switch the identity, and therefore needs to ask you to login.
However, test users do have a user ID and password (which were returned as a response to the create API) that you could use to go through the standard Facebook login procedure. Note though that as far as I know, currently there is no automated method of loggin a user using the user ID/password - they are intended for manual logging in scenarios.
Sorry for double posting probably same question but I don't think I've explained the question much on the previous one. Here's an easier to understand question:
The site I'm working on uses Devise (https://github.com/plataformatec/devise/) and Omniauth (https://github.com/intridea/omniauth) to allow users to logon via Twitter. It works well when it's used in browsers.
This is how to reproduce the problem:
User is using Twitter's IOS app
User clicks on a link of our site that was embedded in a tweet
Twitter opens our site via UIWebView
Our site requires the user to login via Twitter
The app executes Safari and redirects to Twitter's login portal, prompting the user to login
When the users submits the form, it redirects him back to our site and throws an error: "Session Expired"
Any ideas why this is happening? Or anyone experiencing the same problem?
I don't think there has been any change to this, I posted this question here that has more interaction https://dev.twitter.com/discussions/9711.
I am using twitter #anywhere JS API in my application and don't know how to use their methods and properly execute them. At present, I am following this docs for the API.
I am working on a scenario where, I need to check from my app, if any twitter user is logged in on the same browser, get the current twitter user details and cross check with my app for the twitter user. If the user exists in my app, automatically login the user. (more importantly it should not ask the user to connect to the twitter app. Without asking the credentials I need to get the currentUser)
NOTE: Facebook already supports this type of method. We can get the facebook loggedin user session from getSession() method.
Is there anyone there to help me out on this one?