Up until last week, when ever I was logged into multiple accounts in Google and I invoked the OAuth2.0 flow I would get to an ugly screen (looked like it had been hit repeatedly with the ugly stick) that was functional. It would display a list of radio buttons with all the accounts I am logged in as, you select the one and continue through the flow.
This week I now get a beautiful screen that is non-functional (does not list accounts and the signin button only adds an additional account to the list of accounts I am signed in as) I should point out that I am logged into 4 different Google accounts at the same time. The OAuth2.0 for my app appears to be working fine as if I start an in-cognito window in Chrome, or start a new session and only have one account logged in, my OAuth flow continues normally.
Is this just me or is everyone hit by it?
We (google) are rolling back the new page and within a few minutes it should return to the previous behavior.
Any chance you could let us know what kinds of accounts those 4 you were logged in to were? SAML? Google Apps? Plain gmail?
We're also experiencing this. Hope someone at Google takes note and gets this fixed soon!
EDIT: To clarify, I've only experienced the problem when logged into both a personal Google account AND a Google apps account. Haven't tested other situations at present.
FYI, we just rolled out the new UI, so you may begin to see the "beautiful screen" that is now functional. :-) Thanks for the bug report.
Related
I have a Google Apps Marketplace (v2) app I am working on setting up Oauth2 for.
I've got everything working, but for some reason when I do a redirect to the authentication page, after, after you select which Google account to use (if like you're me and are testing, you have to pick one of several Google accounts you're currently signed into), I get sent to another page which seems utterly pointless:
This is bizarre and annoying, because I am logging in as the domain administrator!
Does anyone know a way to skip this screen, or what I might be doing to be cursed with this terrible user experience?
I just confirmed that having access_type=offline will always display this page, even with approval_prompt=auto. You will always get back a refresh token as well.
The only way to hide it is to remove access_type=offline on future login requests (ask only on signup).
I believe this shows up only if app requests refresh token for offline access. Also this should only appear first time you access the app after installation.
In order to skip this you need to update app to not request refresh tokens.
I currently develop an iOS app that uses FB Connect to enable login. In the past 2 months, I have gotten at least two reports of users who are unable to login to our app. It turns out the solution was for them to go to Settings->Facebook, click on their account and relogin. I'm guessing the access token is expiring for some users.
Why is the iOS system level token not automatically refreshing when needed? Is there some way for my app to initiate this? Or at least some way to alert a user to this case so they can fix it themselves?
And why aren't more people seeing this?
Thanks!
I guess you have to handle this in your app yourself. Have a look at https://developers.facebook.com/docs/ios/errors#auth and check the login error scenarios. There's also some sample code included.
Also, you could have a look here: https://developers.facebook.com/docs/facebook-login/ios/v2.0#sessions
My app does automatic tweeting and I'm wondering if this flow is allowable.
The user clicks on a twitter connect button on one of my pages, then it directs them to the login page in settings. After they've logged in, i'd send an automated tweet to their page.
Is this legal to do? Only asking if this is legally ok to do. Thanks!
As far as legality goes, I would imagine this is fine if they know that the app will tweet for them.
Twitter has a page telling developers about these sorts of things.https://dev.twitter.com/terms/api-terms
See Section II, subsection 1, part B.
There must be an easy answer to this one....
I am trying to integrate my latest IOS App to Facebook. I have not used Facebook before, so just set up a "company" page with basic information on my firm.
I'm following all the Facebook links i.e. https://developers.facebook.com/docs/mobile/ios/build/
But I cannot get beyond Step 1 (LOL). Whenever I click the link "Step 1: Registering your iOS App with Facebook," it keeps taking me to my company's Facebook Admin screen!? I cannot find a way to register my App off this screen. Where is the "Add new app" link??
I'm going in circles. Help appreciated.
It's not possible to register an App under a Business account, and you have to create (or lend) a personal account. And keep in mind: Facebook frowns upon incorrect information, so should be a legit person or your account will be suspended when (not if) they find out.
Secondly you have to authorize your Facebook account. For example: by entering mobile phone no. and entering code from a text FB will send you (more info: http://www.facebook.com/confirmphone.php) or entering CC information (more info: https://secure.facebook.com/cards.php)
When you (finally) have an authenticated account:
https://developers.facebook.com/apps Is the location you should be looking at.
Over at http://developers.facebook.com/docs/opengraph/tutorial/ Step 1 describes the creation of a Facebook App. (rather simple, by clicking on "Create New App")
Hope this helps! Good luck!
I believe the problem is that you are attempting to create a Facebook App with your "page user". IE you clicked "Use Facebook as..." and clicked on one of your pages.
You can not create an application in this way. Applications must be created by "real" users. You're going to want to follow that tutorial you posted to and use your user.
If you are hesitant to use your own account, ask your boss to use his or request from your clients login credentials to open the application on their account.
The reason behind this is so that Facebook can track "bad" applications back to real people, people who had to verify their account by submitting a mobile phone or credit card number.
Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance.
This is what i did:
I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine!
Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google.
I noticed the same with stack overflow's openid authentication system.
Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before him had not logged out from google and say.. changed his password!!
Should i be paranoid? Isn't this a major security lapse while implementing the openid spec? Probably today someone can give me a workaround for this issue and the question is solved for me. But what about the others who have implemented openid in their apps and not implemented a workaround?
If this is such a big issue to you, do not use OpenID, or display a DHTML popup after a successful log out reminding the users that their session is still valid on their OpenID provider.
As for Google's OpenID, what you can probably do is redirect users through the following URL after
http://www.google.com/accounts/ClearSID?continue=http%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fcontinue%3Dhttp%3A%2F%2Fwww.google.com%2F
Afaik, there is no way you can log the user out of their account in another system. Your app is supposed to be responsible only for it's own business. As a user, I'd be very surprised if a website using openid could log me out of my google account.
Yes, there is a scenario that a user can assume that they are logged out of google because they logged out on your site but that would (and should) be their own fault.