In my iOS app I am logged into Facebook via iOS Settings.
If the user removes the app from Facebook or changes his password, the token is expired and invalid.
My app detects this and calls:
[FBSession.activeSession closeAndClearTokenInformation];
then asks the user to login again.
However, after the user is logs in, the authToken provided by the FBSession object is the SAME expired token.
This is a problem because I use the auth token server side to authenticate certain requests.
Right now it seems the only way to remedy this is to remove the FB account from the iOS settings and recreate the FB Account.
Am I wrong in my assumption that closeAndClearTokenInformation is supposed to reset everything? Is there another method I should use?
Related
I am using Google Sign-In iOS SDK to implement the sign-in with Google feature. However, I am confused with the disconnect function.
GIDSignIn.sharedInstance()?.disconnect()
According to the documentation, it disconnects the current user from the app and revokes previous authentication. If the operation succeeds, the OAuth 2.0 token is also removed from keychain.
However, when I disconnect the Google Account in my app, I can still use the old id_token to fetch the user's data with the following API:
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=xxxxxx
I can only see the id_token will be expired according to the exp field which is 3600s since the token is created.
What does the disconnect() actually mean? Why can the user's profile be fetched even the Google Account has been disconnected successfully?
What will happen to firebase login credentials after we transfer our app to a different developer account?
Will our app lose access to login credentials since they are stored in Keychain?
In our app, we use a "custom authentication system".
We don't require emails or passwords from our users while signing in.
Instead, we call a cloud function that creates a user and sends an auth token back to the clients.
In client app, we sign in our users with Auth.auth().signIn(withCustomToken: token)
How can we overcome this problem without losing users' login credentials in our app if we'll lose that credentials? What precautions can we take before the transfer?
Thanks.
Should I check user auth ( user name , password, device token) in webservice every time when my mobile application is launch?
I currently developing an ios application that will need user to login with their username and password ( for the first time of application launch).
After that user information will save in app local data and user no need to key in username and password again.
My idea is to check if the user is still active-user by calling the web service whenever the application is launch.
My question is , is that necessary to check whenever the app is launch .?
And is there any design pattern to control the user auth for ios app.?
Generally, you should not store username and password locally, but if you MUST, then store it in iOS keychain and not in local app db. (If you are not familiar with keychain follow this tutorial)
To be able to 'not' save username and password in the app, you need to implement an authentication mechanism (like OAuth 2 : check this tutorial) which handles authentication via web view and needs client to only use the authorized token.
To refresh the token, you need a 'refresh token' api which can check if the token is valid and if expired you can prompt user to enter credentials or use the ones store in keychain to refresh the token automatically.
Note : you can find many more such tutorials on https://www.raywenderlich.com and elsewhere if you just google it.
Note 2 : Although OAuth 2 is more centered around giving access to 'third party', it is a good enough model for normal authentication mechanism. Please spare all the hate in comments for suggesting OAuth 2 for normal authentication.
I'm using the Facebook iOS SDK. In my code I have authorized my app with the default permissions, so my session is valid until the expiration date is reached. However, after the expiration date is reached, I attempt to reauthorize in order to "refresh my OAuth token", as asked before.
However, when I attempt to reauthorize, it displays a dialog saying I have already authorized my app, even though I expect it to just update my OAuth token without a dialog. According to facebook, this is possible:
When you redirect the user to the auth dialog, the user is not
prompted for permissions if the user has already authorized your
application. Facebook will return you a valid access token without any
user facing dialog.
However, I do get a dialog and I'd like to know how I can refresh the access token without getting the dialog.
A recent commit in the Facebook iOS SDK project included an "extend access token" method for extending an expired token.
More information about this and the deprecation of "offline_access" is in Facebook Developer's blog post.
A possible work around is to request offline_access as a permission. Then the access token only expires when:
The user logs out of facebook
Changes their password
Revokes permissions for your app via the facebook website
If anyone has a better answer id like to know too. Requesting offline access for my app could look a bit suspicious (even though the only reason I need it is for non-expiring access token, I wont actually be accessing a users account when their not using my app).
I need to check validity of facebook auth token when my app becomes active.
Auth token might become invalid before the expiry timestamp due to the following reasons
user changes account password
user unauthorizes the app
does Facebook IOS SDK provides any method to handle this??
yes. when any API action goes to exception, you know for sure that you have wrong access token :)