I'm using OWIN with ASP.Net Identity to enable users to log in to a site using their social media credentials.
As part of this we also request extra permissions for interacting with their account.
This is working fine for Twitter and Facebook for the most part, except when trying to log out from the site when using Facebook for the log in.
If you log out of the ASP.Net app you are still logged in to Facebook. That's not a problem in itself, but when you return to the ASP.Net app you're automatically logged in using the Facebook account you used before and you're given no chance to choose a different account.
As the user you can navigate to Facebook, log out, then return to the ASP.Net app and you'll get asked to log in again, but that's not a very nice process for the user to go through. Simply explaining that to a user will be messy and there's plenty for them to get wrong (logging out in a different browser, not reading the help text, etc).
An answer on this question suggests using the javascript SDK which isn't too awful to implement: Logging out from facebook when using MVC 5 OWIN
Some of the answers say "that's how it's supposed to work", but we expect our users to be using multiple accounts with this application so a reasonable log out process is required. Also Facebook themselves say we should log people out of Facebook when logging out of our application: https://developers.facebook.com/docs/facebook-login/web#logout
Note: This function call will also log the person out of Facebook. The reason for this is that someone may have logged into your app and into Facebook during the login flow. If this is the case, they might not expect to still be logged into Facebook when they log out of your app. To avoid confusing people and to protect personal security, we enforce this logout behavior.
But that bring me to the current issue I'm encountering.
I have the following Typescript/Javascript code which performs the log out:
FB.getLoginStatus((getLoginStatusResponse) => {
if (getLoginStatusResponse.status === 'connected') {
FB.logout((logoutResponse) => {
$("form[id='logoutForm']").submit();
});
} else {
$("form[id='logoutForm']").submit();
}
});
getLoginStatus returns fine saying that the user is logged in (status === 'connected') === true.
But then, when I make the logout call I can see the API returns a 302 Not Found, and the redirect points to the facebook home page.
The Facebook Javascript SDK handles this by swallowing the error and not calling the logout callback.
Why am I getting a 302 for an official API call made when I have confirmed the user is logged in?
And is there another way to achieve the log out? A server-side solution would be perfect! Although I don't want to use anything that's undocumented/unsanctioned.
I have an MVC 5 web app that has facebook authentication set up and working nicely. User clicks "Facebook" on the login page, signs in to Facebook and that authenticates with our web site. If the user logs out, the call to AuthenticationManager.SignOut() logs out of the web site correctly, but if the user then goes back to the login page and clicks "Facebook" again they are immediately signed in without having to sign in to facebook.
So my question is, how do I configure MVC 5 OWIN facebook login so that the user is signed out of facebook when they sign out of the web site, or to put it another way, prevent caching of the authentication for the next sign in. I don't want a users facebook login to be silently cached in case they are sharing a browser with other users.
The only way that I know to do this would be to tie an event to your log out button or link and use the Facebook Javascript SDK to actually perform the Facebook logout for you.
LogOut
<script type="text/javascript">
$(function(){
$("#Logout").on("click", function(e){
if(confirm("This will also log you out of Facebook. Proceed?")){
FB.logout(function(response) {
// Person is now logged out
});
}else{
//do not allow the link to continue and sign our of your site.
//This is optional and allows you to provide options
e.PreventDefault();
}
});
});
</script>
You could actually use the confirm dialog to ask if they want to be signed out of Facebook as well. A confirm would mean yes, a not confirm would mean no, just sign me out of your site. Again, using the SDK and a little bit of control logic should provide the results you need.
You can't. To do so would require being able to access cookies set by facebook.com which is explicitly forbidden for security reasons: you can only access cookies on your own domain. The login with Facebook is separate from your application. The user isn't truly logging into your site. They're logging into Facebook and Facebook is simply verifying the user identity with your site. If you're truly concerned you can put a message on your sign out page reminding them to sign out of Facebook as well.
You could try recreating Facebook's log out code (doing a post to the same action they use with the same data they send). But, I'm almost positive they'll be employing some sort of CSRF protection on that, so it probably won't work.
Saw this thread and wanted to add to it, to help the masses.
In the guidance, "Code! MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on" from Microsoft, it has the following section buried in it:
Logging off your App and Logging in With Another Account
If you log on to your app with Facebook, , and then log out and try to log in again with a different Facebook account (using the same browser), you will be immediately logged in to the previous Facebook account you used. In order to use another account, you need to navigate to Facebook and log out at Facebook. The same rule applies to any other 3rd party authentication provider. Alternatively, you can log in with another account by using a different browser.
So this behavior is by design.
To learn more about OWIN, hear is some good reading:
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
http://brockallen.com/2014/01/09/a-primer-on-external-login-providers-social-logins-with-owinkatana-authentication-middleware/
Have more links to share, but drats, reputation is not high enough yet. :)
Its been two years and If OpenID Connect is used, then a solution exists as
// POST: /Account/LogOff
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
Request.GetOwinContext().Authentication.SignOut();
return Redirect("/");
//AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
//return RedirectToAction("Index", "Home");
}
I am trying to implement omniauth twitter to authenticate user using twitter in my application. When I try to "login with twitter", It takes me to "Authorize App" twitter page. When I click "Authorize App" button, It tries to redirect me to my app and shows me as as already logged user in twitter.( as I am already logged in twitter in another tab of my browser). But then I display me registration page without persisting username. I am following Ryan http://railscasts.com/episodes/235-devise-and-omniauth-revised devise with omniauth. How to persist username when log in with twitter. Please suggest me.
I have attached my application code on below link.
app code
Please let me know if you need more code to be pasted.
I had the same problem.
Devise is looking for an email. Can't be persisted without.
You can :
- change the email field null=>true using a migration
- generate a dummy email when provider is twitter
Sorry for double posting probably same question but I don't think I've explained the question much on the previous one. Here's an easier to understand question:
The site I'm working on uses Devise (https://github.com/plataformatec/devise/) and Omniauth (https://github.com/intridea/omniauth) to allow users to logon via Twitter. It works well when it's used in browsers.
This is how to reproduce the problem:
User is using Twitter's IOS app
User clicks on a link of our site that was embedded in a tweet
Twitter opens our site via UIWebView
Our site requires the user to login via Twitter
The app executes Safari and redirects to Twitter's login portal, prompting the user to login
When the users submits the form, it redirects him back to our site and throws an error: "Session Expired"
Any ideas why this is happening? Or anyone experiencing the same problem?
I don't think there has been any change to this, I posted this question here that has more interaction https://dev.twitter.com/discussions/9711.
I installed Spring-Security-Facebook Plugin in my app, and got the Login button in my login page.
When I am clicking on the login with Facebook button it is redirecting to facebook.com/login.php?api_key=....... and i am getting an error.
When I clicked on login with Facebook button in other websites it is redirecting to facebook.com/login.php?api_key........ and giving the login page.
I also tried the JavaScript code given in the Facebook Developers api in the page http://developers.facebook.com/docs/guides/web/. Then also I got the same problem.
I don't know where i am going wrong. I think it is problem with the url redirecting.
Make sure that you're using same site url as it configured in Facebook Developer Admin (something like http://localhost:8080/my-app/).
And also, if you setup Sandbox Mode (Settings -> Advanced), then Facebook will show you details of this error.