I have an MVC 5 web app that has facebook authentication set up and working nicely. User clicks "Facebook" on the login page, signs in to Facebook and that authenticates with our web site. If the user logs out, the call to AuthenticationManager.SignOut() logs out of the web site correctly, but if the user then goes back to the login page and clicks "Facebook" again they are immediately signed in without having to sign in to facebook.
So my question is, how do I configure MVC 5 OWIN facebook login so that the user is signed out of facebook when they sign out of the web site, or to put it another way, prevent caching of the authentication for the next sign in. I don't want a users facebook login to be silently cached in case they are sharing a browser with other users.
The only way that I know to do this would be to tie an event to your log out button or link and use the Facebook Javascript SDK to actually perform the Facebook logout for you.
LogOut
<script type="text/javascript">
$(function(){
$("#Logout").on("click", function(e){
if(confirm("This will also log you out of Facebook. Proceed?")){
FB.logout(function(response) {
// Person is now logged out
});
}else{
//do not allow the link to continue and sign our of your site.
//This is optional and allows you to provide options
e.PreventDefault();
}
});
});
</script>
You could actually use the confirm dialog to ask if they want to be signed out of Facebook as well. A confirm would mean yes, a not confirm would mean no, just sign me out of your site. Again, using the SDK and a little bit of control logic should provide the results you need.
You can't. To do so would require being able to access cookies set by facebook.com which is explicitly forbidden for security reasons: you can only access cookies on your own domain. The login with Facebook is separate from your application. The user isn't truly logging into your site. They're logging into Facebook and Facebook is simply verifying the user identity with your site. If you're truly concerned you can put a message on your sign out page reminding them to sign out of Facebook as well.
You could try recreating Facebook's log out code (doing a post to the same action they use with the same data they send). But, I'm almost positive they'll be employing some sort of CSRF protection on that, so it probably won't work.
Saw this thread and wanted to add to it, to help the masses.
In the guidance, "Code! MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on" from Microsoft, it has the following section buried in it:
Logging off your App and Logging in With Another Account
If you log on to your app with Facebook, , and then log out and try to log in again with a different Facebook account (using the same browser), you will be immediately logged in to the previous Facebook account you used. In order to use another account, you need to navigate to Facebook and log out at Facebook. The same rule applies to any other 3rd party authentication provider. Alternatively, you can log in with another account by using a different browser.
So this behavior is by design.
To learn more about OWIN, hear is some good reading:
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
http://brockallen.com/2014/01/09/a-primer-on-external-login-providers-social-logins-with-owinkatana-authentication-middleware/
Have more links to share, but drats, reputation is not high enough yet. :)
Its been two years and If OpenID Connect is used, then a solution exists as
// POST: /Account/LogOff
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
Request.GetOwinContext().Authentication.SignOut();
return Redirect("/");
//AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
//return RedirectToAction("Index", "Home");
}
Related
I'm using OWIN with ASP.Net Identity to enable users to log in to a site using their social media credentials.
As part of this we also request extra permissions for interacting with their account.
This is working fine for Twitter and Facebook for the most part, except when trying to log out from the site when using Facebook for the log in.
If you log out of the ASP.Net app you are still logged in to Facebook. That's not a problem in itself, but when you return to the ASP.Net app you're automatically logged in using the Facebook account you used before and you're given no chance to choose a different account.
As the user you can navigate to Facebook, log out, then return to the ASP.Net app and you'll get asked to log in again, but that's not a very nice process for the user to go through. Simply explaining that to a user will be messy and there's plenty for them to get wrong (logging out in a different browser, not reading the help text, etc).
An answer on this question suggests using the javascript SDK which isn't too awful to implement: Logging out from facebook when using MVC 5 OWIN
Some of the answers say "that's how it's supposed to work", but we expect our users to be using multiple accounts with this application so a reasonable log out process is required. Also Facebook themselves say we should log people out of Facebook when logging out of our application: https://developers.facebook.com/docs/facebook-login/web#logout
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
But that bring me to the current issue I'm encountering.
I have the following Typescript/Javascript code which performs the log out:
FB.getLoginStatus((getLoginStatusResponse) => {
if (getLoginStatusResponse.status === 'connected') {
FB.logout((logoutResponse) => {
$("form[id='logoutForm']").submit();
});
} else {
$("form[id='logoutForm']").submit();
}
});
getLoginStatus returns fine saying that the user is logged in (status === 'connected') === true.
But then, when I make the logout call I can see the API returns a 302 Not Found, and the redirect points to the facebook home page.
The Facebook Javascript SDK handles this by swallowing the error and not calling the logout callback.
Why am I getting a 302 for an official API call made when I have confirmed the user is logged in?
And is there another way to achieve the log out? A server-side solution would be perfect! Although I don't want to use anything that's undocumented/unsanctioned.
I have a RoR app using omniauth. I want to allow the user to log out so that they can sign in with a different Facebook user, but no matter what I do, once a user logs into FB, it keeps them logged in.
I have tried:
https://www.facebook.com/logout.php?next=&access_token=
To no avail. I also tried the reauth option for omniauth-facebook but that resulted in the user being brought to FB rather than to my specified redirect URL.
Its easy, add this to your javascript initialization code: (after FB.init)
FB.logout(function(response) {
FB.Auth.setAuthResponse(null, 'unknown');
setTimeout('document.location.reload()',0);
});
And the button of sign out:
Logout
Using the approach https://www.facebook.com/logout.php?next=&access_token= will make your user leave your page, as facebook won't redirect to your website again.
I hope this will solve your problem.
I'm using DotNetOpenAuth. I configured my application with Custom form authentication with Gmail OpenID through (DotNetOpenAuth). I can successfully login to my app. But say for eg. i logged out from application and click login (with in 10 to 15 Sec) its not redirecting to gmail login. It generated authentication token by itself without asked from user.(I hope something is cached OpenID)
I used PAPE
request.AddExtension(new PolicyRequest()
{
MaximumAuthenticationAge = TimeSpan.Zero
});
And also tried to configure in web.config.
<openid cacheDiscovery="false">
Is there any workaround for the same.
NOTE : Once i logged out i used to clear ALL Session and call FormAuthentication.SignOut()
With OpenID, you as the relying party cannot force the login policy for the user at their Provider. You can request that the provider relogin the user as you have with the PAPE extension, but the Provider may still ignore that.
The cacheDiscovery setting is irrelevant to pass-through login, so I suggest you remove that entry as it will simply slow down all logins.
I think you're mistaken when you say it's not redirecting to Google. If you look at the logs, or what your browser's URL bar, Google.com should be redirected to, but at that point Google decides the user has a login session and avoids prompting them to login again, and redirects the user immediately back to your site.
I would like to know the best way of implementing automatic login to my web site. What I mean by automatic is this:
I've already signed into Google. I now go to my web site and its login page. Instead of clicking on the link to login with Google I would like the web app to detect that I'm already logged into Google and bypass the whole login page.
1) Would I use the DotNetOpenAuth.OpenId.RelyingParty.OpenIdAjaxRelyingParty.HttpApplicationStore to get associations?
2) Or do I need to look at cookies.
To your "1) Associations" guess, no. Associations that the RP may already have with Google are irrelevant to who the user is at the browser or whether they're logged into Google. Your "2) cookies" won't work either because browser isolate Google's cookies from those of your RP so you have no insight into that.
Hbas was right. I think Auto Login user to website when user is logged in to FB or google - DotNetOpenAuth has the answer to your question.
Distant memory suggests that Google had a way to disclosing to an RP that the user was logged into a Google account (with no way to identify which user or auto-login that user) with the idea being that the RP could then promote the "login with Google" button since you know the user has a Google account. However that wasn't well advertised (privacy concerns probably) and I can't find any info on it at the moment.
User login my application with oauth, after logout my application but twitter can't do, problem is user twitter account is active.
when that logout my application at the same time logout twitter
twitter api not support this action?
No, the twitter API will not log your users out of twitter.
account/end_session only ends the current API Session. I'm working on an site that requires users to be able to log out and then log back in again with another twitter account. To do that, you have to store multiple access tokens per user and establish one as the current access token. More info in the link below.
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/02e44b27d7ba3661?pli=1
As far as signing out of twitter, it's up to the user to sign into twitter and sign out themselves, which is not ideal if working on a shared computer.
Twitter just closing the session at api ,not close the session on Twitter :)
You'll have to call account/end_session to end the session of the authenticated user on twitter.
Old thread agreed, I just integrated Twitter login in my android app using Fabric. I found the following method
com.twitter.sdk.android.Twitter.logOut
I guess they have implemented it now! I couldn't find any documentation, honestly I've not put too much time into it. But I think logout means what I think it means :)
Twitter does not have api for logout. You can use the session closing api to end the user session.
You can use oauth/authenticate or oauth/authorize and add "force_login=true" parameter. This will prompt the user with a login form.
view this thread