I'm using Grails and the spring social twitter plugin. Everything works fine except in one case:
I check if the user is connected to twitter via this piece of code
connectionRepository.findPrimaryConnection(Twitter.class)
while this works fine if I authorize the app in twitter, it still gives TRUE when I revoke the authorization. How can I make the function check if it's connected and if the user didn't revoke the authorization ? (right now it gives true, and I have a RevokedAuthorizationException just after when trying to use the API).
UPDATE:
I tried to catch the RevokedAuthorizationException in order to redirect the user to twitter, it works BUT now I have a weird behavior: if a user revoke once the authorization, even if he then authorizes the app, it keeps giving a RevokedAuthorizationException ?!
Thank you.
I'm not sure because I haven't tried it yet, but I think you can use the test() method of the Connection API (http://static.springsource.org/spring-social/docs/1.0.x/reference/html/serviceprovider.html)
Related
I have an app that all works fine for authentication and it uses Oauth2 (Google).
Now, I am struggling with the logout URL for this app. It works, but I am under the impression that it is possible to logout of it and remain logged into my gmail account please? Currently, ALL accounts are logged out of so the two gmail accounts need to go through login each time the app is used and log out is pressed.
I have read that this is possible but this is the URL that I am using to Log out
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://news.bbc.co.uk
I am sure it can be done because I did it in a former role but do not have the code!
I implemented Instagram Login using Basic Display API. Everything works fine if the user enters their Instagram credentials in the web view that comes up on loading https://api.instagram.com/oauth/authorize request. After that I can pull the user's media from the Instagram account. It tells me that everything is implemented properly.
Now, if user choses the "Log in with Facebook" option in the WebView and goes through the Facebook login flow, everything still works fine when I run it on a simulator: after Facebook finishes its login flow with 2 factor authentication I eventually get the redirect callback, parse the code form it and all the rest works as normal.
But the same fails on a physical device. After I call https://api.instagram.com/oauth/access_token to get the token with the obtained code the Instagram app launches momentarily and then opens Safari with this error:
{"message":"Logged-in use not
supported","status":"fail"}
What gives? This is incredibly frustrating, one day was wasted and not sure where to go from here. Any ideas?
UPDATE:
The reason it behaves differently on the device is because it has Instagram app installed and the app gets launched when Facebook calls https://www.instagram.com/accounts/signup/... endpoint to return to the Instagram auth flow (I am watching the requests coming through the WkWebView). Instagram app throws that error above, while on the simulator the end point seems to be serviced fine by the Instagram backend and the flow continues as it should.
So the question is how to get the Instagram app out of the loop.
UPDATE2:
Confirmed - once I deleted the Instagram app from the device it works as expected. Once I install it back it gets launched again during the authentication flow by Facebook and the problem is back. This seems to be a bug in the Instagram app, I have no other explanation.
OK, so after lots of dead ends and obscure rabbit holes I was frantically going down, I have concluded that the real issue is the bug in the Instagram App. As noted in the update to my question the flow started to work fine after I removed the Instagram.
Still not ready to jump to conclusions I tried a few other apps from the Appstore that have Connect to Instagram feature. All of them fail exactly the same way. Specifically if you choose "Continue with Facebook" on the Instagram login WebView you eventually end up launching Instagram app (if it's installed) which in turn throws an error in Safari, and you are stuck.
And you know what the funniest thing is? If you download the Instagram app itself and try to login using the same Facebook flow it will fail as well!
The lesson learned - before you suspect you made a mistake in your implementation check out some other apps with the same feature implemented and maybe you'll discover that you are not alone in your struggle.
The documentation says you should send a POST request to this URL:
Step 2: Exchange the Code For a Token
Once you receive a code, exchange it for a short-lived access token by
sending a POST request to the following endpoint:
POST https://api.instagram.com/oauth/access_token
I didn't get why are you trying to redirect users to this endpoint?
I'm using OWIN with ASP.Net Identity to enable users to log in to a site using their social media credentials.
As part of this we also request extra permissions for interacting with their account.
This is working fine for Twitter and Facebook for the most part, except when trying to log out from the site when using Facebook for the log in.
If you log out of the ASP.Net app you are still logged in to Facebook. That's not a problem in itself, but when you return to the ASP.Net app you're automatically logged in using the Facebook account you used before and you're given no chance to choose a different account.
As the user you can navigate to Facebook, log out, then return to the ASP.Net app and you'll get asked to log in again, but that's not a very nice process for the user to go through. Simply explaining that to a user will be messy and there's plenty for them to get wrong (logging out in a different browser, not reading the help text, etc).
An answer on this question suggests using the javascript SDK which isn't too awful to implement: Logging out from facebook when using MVC 5 OWIN
Some of the answers say "that's how it's supposed to work", but we expect our users to be using multiple accounts with this application so a reasonable log out process is required. Also Facebook themselves say we should log people out of Facebook when logging out of our application: https://developers.facebook.com/docs/facebook-login/web#logout
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
But that bring me to the current issue I'm encountering.
I have the following Typescript/Javascript code which performs the log out:
FB.getLoginStatus((getLoginStatusResponse) => {
if (getLoginStatusResponse.status === 'connected') {
FB.logout((logoutResponse) => {
$("form[id='logoutForm']").submit();
});
} else {
$("form[id='logoutForm']").submit();
}
});
getLoginStatus returns fine saying that the user is logged in (status === 'connected') === true.
But then, when I make the logout call I can see the API returns a 302 Not Found, and the redirect points to the facebook home page.
The Facebook Javascript SDK handles this by swallowing the error and not calling the logout callback.
Why am I getting a 302 for an official API call made when I have confirmed the user is logged in?
And is there another way to achieve the log out? A server-side solution would be perfect! Although I don't want to use anything that's undocumented/unsanctioned.
User login my application with oauth, after logout my application but twitter can't do, problem is user twitter account is active.
when that logout my application at the same time logout twitter
twitter api not support this action?
No, the twitter API will not log your users out of twitter.
account/end_session only ends the current API Session. I'm working on an site that requires users to be able to log out and then log back in again with another twitter account. To do that, you have to store multiple access tokens per user and establish one as the current access token. More info in the link below.
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/02e44b27d7ba3661?pli=1
As far as signing out of twitter, it's up to the user to sign into twitter and sign out themselves, which is not ideal if working on a shared computer.
Twitter just closing the session at api ,not close the session on Twitter :)
You'll have to call account/end_session to end the session of the authenticated user on twitter.
Old thread agreed, I just integrated Twitter login in my android app using Fabric. I found the following method
com.twitter.sdk.android.Twitter.logOut
I guess they have implemented it now! I couldn't find any documentation, honestly I've not put too much time into it. But I think logout means what I think it means :)
Twitter does not have api for logout. You can use the session closing api to end the user session.
You can use oauth/authenticate or oauth/authorize and add "force_login=true" parameter. This will prompt the user with a login form.
view this thread
Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance.
This is what i did:
I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine!
Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google.
I noticed the same with stack overflow's openid authentication system.
Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before him had not logged out from google and say.. changed his password!!
Should i be paranoid? Isn't this a major security lapse while implementing the openid spec? Probably today someone can give me a workaround for this issue and the question is solved for me. But what about the others who have implemented openid in their apps and not implemented a workaround?
If this is such a big issue to you, do not use OpenID, or display a DHTML popup after a successful log out reminding the users that their session is still valid on their OpenID provider.
As for Google's OpenID, what you can probably do is redirect users through the following URL after
http://www.google.com/accounts/ClearSID?continue=http%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fcontinue%3Dhttp%3A%2F%2Fwww.google.com%2F
Afaik, there is no way you can log the user out of their account in another system. Your app is supposed to be responsible only for it's own business. As a user, I'd be very surprised if a website using openid could log me out of my google account.
Yes, there is a scenario that a user can assume that they are logged out of google because they logged out on your site but that would (and should) be their own fault.