I have implemented Sign in with Twitter on my web site using DotNetOpenAuth lib using asp.net mvc 3.
My problem is that every time the user click Sign-in with twitter it redirects him to a twitter page (even if he is already logged in to twitter).
I saw that sites like www.pinterest.com avoids this somehow.
How can I avoid the redirect to Twitter sign-in page if the user is already logged in to twitter?
This is called Sign in with Twitter. Redirect users to https://api.twitter.com/oauth/authenticate?oauth_token=xyz instead of https://api.twitter.com/oauth/authorize?oauth_token=xyz. If the user is has an active session with twitter.com and has previously authorized the application they will silently be redirected to the callback url.
Related
I have the sign-in with linkedin functionality working on my asp.net mvc site.
I noticed that when a user is already logged in to LinkedIn in the current browser that when I click the button to sign in with linkedin on my site that it automatically signs in to my site with the user that was already logged in instead of asking for a LinkedIn username and password.
Is there any way to ignore any already logged in users and ask for the username and password EVERY time someone hits the button to sign in with linkedin? I don't want anyone to be surprised about who they get logged in as... as I was when I accidentally added the wrong LinkedIn login to my account on my site because of this.
I have an MVC 5 web app that has facebook authentication set up and working nicely. User clicks "Facebook" on the login page, signs in to Facebook and that authenticates with our web site. If the user logs out, the call to AuthenticationManager.SignOut() logs out of the web site correctly, but if the user then goes back to the login page and clicks "Facebook" again they are immediately signed in without having to sign in to facebook.
So my question is, how do I configure MVC 5 OWIN facebook login so that the user is signed out of facebook when they sign out of the web site, or to put it another way, prevent caching of the authentication for the next sign in. I don't want a users facebook login to be silently cached in case they are sharing a browser with other users.
The only way that I know to do this would be to tie an event to your log out button or link and use the Facebook Javascript SDK to actually perform the Facebook logout for you.
LogOut
<script type="text/javascript">
$(function(){
$("#Logout").on("click", function(e){
if(confirm("This will also log you out of Facebook. Proceed?")){
FB.logout(function(response) {
// Person is now logged out
});
}else{
//do not allow the link to continue and sign our of your site.
//This is optional and allows you to provide options
e.PreventDefault();
}
});
});
</script>
You could actually use the confirm dialog to ask if they want to be signed out of Facebook as well. A confirm would mean yes, a not confirm would mean no, just sign me out of your site. Again, using the SDK and a little bit of control logic should provide the results you need.
You can't. To do so would require being able to access cookies set by facebook.com which is explicitly forbidden for security reasons: you can only access cookies on your own domain. The login with Facebook is separate from your application. The user isn't truly logging into your site. They're logging into Facebook and Facebook is simply verifying the user identity with your site. If you're truly concerned you can put a message on your sign out page reminding them to sign out of Facebook as well.
You could try recreating Facebook's log out code (doing a post to the same action they use with the same data they send). But, I'm almost positive they'll be employing some sort of CSRF protection on that, so it probably won't work.
Saw this thread and wanted to add to it, to help the masses.
In the guidance, "Code! MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on" from Microsoft, it has the following section buried in it:
Logging off your App and Logging in With Another Account
If you log on to your app with Facebook, , and then log out and try to log in again with a different Facebook account (using the same browser), you will be immediately logged in to the previous Facebook account you used. In order to use another account, you need to navigate to Facebook and log out at Facebook. The same rule applies to any other 3rd party authentication provider. Alternatively, you can log in with another account by using a different browser.
So this behavior is by design.
To learn more about OWIN, hear is some good reading:
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
http://brockallen.com/2014/01/09/a-primer-on-external-login-providers-social-logins-with-owinkatana-authentication-middleware/
Have more links to share, but drats, reputation is not high enough yet. :)
Its been two years and If OpenID Connect is used, then a solution exists as
// POST: /Account/LogOff
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
Request.GetOwinContext().Authentication.SignOut();
return Redirect("/");
//AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
//return RedirectToAction("Index", "Home");
}
I'm using the Oauth redirect authorization method to provide authorization for a page tab iframe application.
The flow works like this:
User loads page tab (unauthorized)
User clicks authorize link
Authorization dialog takes over parent window
Accepted authorization redirects to my application to register user account using authorized email.
My application redirects back to the page tab
Loading the page tab causes authorization to be lost, and the user sees the authorize link again. Rinse, repeat, no success.
Confusingly, the application works completely if instead of redirecting to the Facebook Page Tab, I redirect to any path in my application (ie. the root, the user's page, etc.). Only by setting the redirect to the Facebook Page Tab URL does the user get "booted".
Even stranger, if I keep redirection limited to my application, but simply load the Facebook Page Tab, the authorization is killed everywhere. Meaning, post-facebook-page-load, refreshing the application off-Facebook will prompt the user to authorize again, and they are effectively "logged out" of my system.
I am using Rails 3.0.1 with Devise 1.4.2 for user accounts. The user authorization is passed to a Devise registration (I need to keep track of users in my app - a voting-based "contest" application). Devise uses the "Server side Flow" detailed here: http://developers.facebook.com/docs/authentication/
I'm lost as to what would be causing this. Facebook killing the auth cookie? Does this happen?
When you access the facebook tab page first time,signed_request is necessary:
#signed_request = oauth.parse_signed_request(params[:signed_request])
So you can send a parameter when redirect to it from other pages to check if it's the first time.
I'm using the Facebook login with Koala for my RoR web application.
I'm using Clearance authentication, and when user logs in with Facebook I'm recognizing the site existing user or subscribing a new user.
I am having an issue with logging out:
I'm trying to logout of the site without logging out of Facebook.
As I understood from the FB API, I should use the url for logging out:
"https://www.facebook.com/logout.php?next=#{sign_in_url}&access_token=#{access_token}".
When directing to that URL it seems like cookies changed, but then on the sign_in page when getting to the parse facebook cookies part (for checking if user logged in to facebook), the
oauth.get_user_from_cookies(cookies)
returns:
OAuthException: Code was invalid or expired. The session is invalid because the user logged out
Like it deletes the whole session instead of just change the cookies...?
* I checked and the cookie fbsr_... still exists! shoudln't it be changed to fbs_...?!
I would appreciate help on this.
Thanks a lot!
Moozly.
I have successfully let users to connect to my web application with twitter oauth. And I can insert user information after they logged in.
My problem with is that existing users are always redirected to the Allow/Deny application screen on twitter each time they click on sign in with twitter.
How can I skip this step for my existing users so they don't have to click on allow every time they sign in?
I am using this library: http://www.haughin.com/code/twitter/
thanks.
This is done with the Sign in with Twitter flow. Instead of sending users to https://api.twitter.com/oauth/authorize?oauth_token=xyz send them to https://api.twitter.com/oauth/authenticate?oauth_token=xyz. In this case if the user has previously authorized your app and are already authenticated with twitter.com they will automatically be redirected back to your app without being prompted to allow/deny access.
When a user authorizes your application to use their Twitter account, Twitter gives you two tokens: OAuthToken and OAuthTokenSecret.
Stores these tokens in a cookie, or a settings file, or whatever.
Then, the next time you need to make a request to Twitter on behalf of this user, you use those tokens.