I am using omniauth-facebook and omniauth-twitter gems to enable log in via Facebook, Twitter.
Everything works fine, I am able to authenticate user using OAuth. The BIG problem here is that when user is signed out from my application, it doesn't log out
from the social site that they authenticated from, which is dangerous.
I would like to add a functionality that will destroy the session in both places i.e, my application and the corresponding social site.
How do I do that?
Is it possible using the omniauth gems that I am currently using? Or is there an alternative gem/API available to achieve this?
It seems to me that the problem is we don't know the user's intent. If the user logs out from your app and they don't have other tabs open with Facebook and then they walk away from the computer thinking they're all done but leave the browser open, then yes, that would be bad. On the other hand, if they have another tab which is on Facebook, if they log out of your app and then switch to the other tab expecting to carry on using Facebook, they'll be annoyed. You could argue that annoying people is better than leaving them logged in to Facebook unwittingly - I'd generally agree!
I don't know of a nice/official way to do this if you're handling the login flow server-side. Some suggest building a normal Facebook url - see https://stackoverflow.com/a/8765863 - and I guess you could redirect to that and make it redirect back if that approach still works (it's an old answer), but it feels brittle as the user implies.
If you're using the javascript api, there's the FB.logout function:
https://developers.facebook.com/docs/reference/javascript/FB.logout/
and/or the auto-display of a logout button instead of the login button using the auto_logout_link parameter:
https://developers.facebook.com/docs/plugins/login-button/
One option which covers both user intent scenarios is to have your normal logout button which obviously kills your app's session and when they click it, redirect to a page which has a "Logout from Facebook?" button - perhaps using the javascript login button with the auto_logout_link parameter. Then they can logout from Facebook if they're done with the computer, or choose not to click it if they have Facebook open in another tab and want to continue using it.
As I'm sure you know, omniauth-facebook supports both server-side and client-side login flows.
I'm not sure if an equivalent is possible with omniauth-twitter - I don't have experience with it.
Related
My current scenario is:
Running an iPhone on the latest iOS
LinkedIn App is installed and logged in
Web browser is NOT logged into LinkedIn (because I have the app)
Developing a web app with "log in with LinkedIn" functionality
On the iPhone, clicking the "log in with LinkedIn" button redirects me straight the the LinkedIn App, which subsequently does nothing - just shows me my feed. I have verified this same behaviour occurs on a third-party site as well as my own. Note that Android exhibits similar behaviour, though I haven't tested as extensively there.
I've found several workarounds:
If I open the web site in Private Browsing mode clicking the login button asks me if I want to open the App or stay in the browser.
If I long-press and "Open in background tab" the login button it'll open (in the background, of course) instead of redirecting to the app, allowing me to log in.
If I manually type "linkedin.com" into the browser and log in then it seems to work too.
None of these are even vaguely practical for end users, essentially forcing us to remove the option entirely.
I'm fairly sure this is a problem at LinkedIn's end and the solution is either:
Don't redirect to the App for OAuth Authorize requests, or
Make the App correctly handle OAuth Authorize requests.
If I'm incorrect and there's some way we can stop this redirect from the client side I'd be happy to hear, otherwise I hope LinkedIn engineers actually see this...
See the comments in Issues with Linkedin Social connection
LinkedIn already confirmed that it is a problem on their side.
I want to open, from an iOS app, a web page that requires authentication in order to get to that page.
I googled a little bit and I believe I need to use WebKit and Javascript injection, but I am not sure and I have never done something like this, so every bit of information is welcomed or pointing me in the right direction.
I will give an example that I hope will make things more clear(I don't actually want to open facebook, it's just part of the example):
Is it possible to do the following scenario? And if yes, how?
Open a web page from an iOS app, for example: "https://www.facebook.com/profile" without having to go through the login page? I do have the user credentials(username and password), as the user is already logged in with those credentials in the iOS app, but the requirement is to not go through the login page, but to go straight to the profile page.
In general the answer is: no. Even if the user is already logged in and has a valid authentication token that token may only be valid from within your app and not from within the browser. And the login form may be protected by something like a captche preventing you from automatically logging someone in.
There certainly are situation where it is possible: For example if the tokens are not scoped to your app you can try passing them along. Or there is an actual API that you can call with the token that logs the user into the website on the website, etc. But those depend on the specific target website or wether you can control that target website and can add this functionality.
I've successfully added a Sign in with Facebook feature to my Rails 5 app with Devise and Omniauth.
Instead of my static button, I'd like to implement Facebook's embed "Continue as {name}" login button. In their documentation they'll produce the following code for you to implement:
<div class="fb-login-button" data-size="large" data-button-type="continue_with" data-auto-logout-link="false" data-use-continue-as="true"></div>
Just implementing it like that obviously doesn't work. I'd really like to be able to handle it in a way where I can specify it to direct to my user_facebook_omniauth_authorize_path. How do I do that?
I've implemented Facebook SDK on the website.
Thank you in advance. Your help is much appreciated! :-)
Omniauth uses the server-side login flow, whereas this button is part of the client-side login flow.
Only by being embedded on the client side can it determine whether there is a logged-in Facebook user in the first place - on the server side, that info isn’t available.
The server- and the client-side auth flow have quite significant differences, so I doubt you would be able to implement this, without rewriting how login is handled almost completely.
i am working with the HelloFacebookSample from face book's sdk.
i have a few issues, but am trying to get through them.
The one i have right now is that after I login, then logout, then login again, i am automatically logged in without being asked for credentials. Is there any way to change this behavior?
And secondly (for now), is there any way i can bring up the FB login dialog within my app instead of it going to Safari? i don't want my users to have access to safari at all, so i need to keep control.
The original FB sdk (about 2 years old) handled the login directly from within the app, so I am thinking i am just missing something here?
Thanks,
Jerry
If you want full control over the login process then you can't use the SDK, you need to add and manage a web view yourself. Facebook tries to bother the user to reconfirm as little as possible, so it will provide a login with the least path of resistance (and user taps / interaction).
Depending on how the user is logged into Facebook you won't be able to force them to re-enter login details unless you implement the web view approach. If you're using the SDK then you would need to call closeAndClearTokenInformation on the active session and also delete any Facebook related cookies from the app (and that's probably as close as you can get).
I have a test users page for my site which loads a simple grid of 4 buttons, which, when clicked, launch their associated Facebook test user login_url. I'm obtaining these via the PHP SDK and they work great...
Except when the cookies are cleared in Safari (mobile and desktop)... In this case, the test user login_url takes me to a Facebook login page where I'm prompted to login.
If I clear cookies and visit the plain old www.facebook.com homepage first and then navigate to my site, it works fine.
I understand that the 3rd party cookie setting would prevent me from loading this login_url successfully in an iFrame, but I don't understand why it doesn't work when I actually try to follow the link.
Is this a bug? Are Facebook test users a rather unpolished developer feature?
Disclaimer: I work for Facebook, but I am not on the Platform team, so my knowledge on this topic isn't that much more than a regular developer.
The login_url mechanism is not a full blown secure login mechanism. I would venture to guess that it switches the identity of the currently logged in user from the regular user to the test user. However, if there is no currently logged in user, it can't switch the identity, and therefore needs to ask you to login.
However, test users do have a user ID and password (which were returned as a response to the create API) that you could use to go through the standard Facebook login procedure. Note though that as far as I know, currently there is no automated method of loggin a user using the user ID/password - they are intended for manual logging in scenarios.