Is there a parameter I can pass to https://www.facebook.com/dialog/oauth that will force the user to login again?
The problem is if the user is logged into Facebook, it will redirect transparently back to my site, even if the user wants to use a different Facebook account.
Twitter's OAuth API accepts a "force_redirect=true" parameter which does what I want, but I can't find one for Facebook.
I think "auth_type=reauthenticate" is the option you are looking for.
Docs: https://developers.facebook.com/docs/reauthentication/
Related
I'm building an app where the user will receive an invite to join a team.
The invite link is unique to the user, and when the user hits the sign-up page, they they can login using oauth (google).
After the user goes through the authentication and gets passed back to my app, I need to get their invite code, so I can look it up in the db and add them to the correct team.
I thought I could pass a state variable to the oauth provider which would get passed back to me like auth?state=INVITE_CODE, but when I send a state parameter to google in my auth request, it doesn't respond at all.
What's the best way to accomplish this?
I'm using express passport if that makes any difference.
I was WAY over thinking this, so hopefully this will help somebody else.
If you look at the res.headers.referer it is actually your original link, not the link from the oauth provider, which I expected.
I have Oath working with Facebook, Google, and Twitter; however, I am having an issue with the latter where it uses an "authorization" URL each time rather than "authentication". The result is that the user is asked to authorize my app each time. With both Google and FB once the app is authorized they are not asked again when they log in. It is aware behind the scenes if the user is logged into one of those services and if so (and they already authorized my app) it logs them immediately into my app. With Twitter it will take them to an authorization screen each time.
I know this is due to the flow I have with Twitter which which says: redirect_url = auth.get_authorization_url() followed by a self.redirect(redirect_url)
The key above is "authorization" which is unaware of the user's acceptance of my app previously. In Twitter I know there is a checkbox to "allow this application to be used to sign in with Twitter". This is checked. What I am not able to find is the correct path with Tweepy that checks whether the user is already logged into Twitter and has already authorized my app.
I do save the tokens that Twitter sent back with the user at first authorization, however, I have no idea who the user is until they login so I cannot try to use these tokens for this initial part of the exercise. I should note that I don't have to use the tokens from Google or FB either at this stage.
Can Tweepy be used in the manner described above or do I need to do something else?
Thanks!
Fortunately, there is a very simple solution. When calling api.get_authorization_url, simply specify signin_with_twitter=True as a keyword argument. Your call should look like this:
api.get_authorization_url(signin_with_twitter=True)
This causes Tweepy to use the 'authenticationendpoint you mentioned, instead of theauthorization` endpoint.
I have a facebook application that the user has authorized. I want to re-authenticate when their token has expired. The problem is that when the user is already logged in to Facebook, and they have already authorized the application, facebook just redirects back to the redirect_url. I don't want this behavior as the user may have multiple facebook accounts and the one they're logged in to may not be the correct one.
The initial facebook authorization happens via server side authentication.
I want to either:
pick which one [account] to authenticate with (this is ideal) or
force them to re-authenticate their facebook credentials
I would like to avoid using the javascript sdk to force logout then re-login in if possible. I would like to keep everything server side for maintenance reasons.
You can configure omniauth-facebook to force reauthentication by setting auth_type to reauthenticate.
I don't know how to force to re-authenticate users. ( that would be the better solution ) But It's the first time I hear someone who wants the token expires faster. (Token last 2 hours, https://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/ ).
Your use case it's really unusual:
"the user may have multiple facebook accounts and the one they're logged in to may not be the correct one"
Who has multiple Facebook accounts?
Maybe if your are a developer, you will need an extra account, but it's better to use this:
https://developers.facebook.com/docs/test_users/
Regards
Ivangrx
force them to re-authenticate their facebook credentials
The OAuth dialog offers a method for Re-Authentication – but I’m not quite sure if that fits your needs, so you’ll have to give it a try.
Is there a parameter I can pass to https://oauth.live.com/authorize that will force the user to login again?
The problem is if the user is logged in, it will redirect transparently back to my site, even if the user wants to use a different Windows Live account.
Twitter's OAuth API accepts "force_redirect=true", and Facebook accepts "auth_type=reauthenticate", but I can't find one for Windows Live.
First redirect your user to:
https://login.live.com/oauth20_logout.srf?client_id={$Client_Id}&redirect_uri={$Redirect_URI}
It will log him off and then continue your coding !
User login my application with oauth, after logout my application but twitter can't do, problem is user twitter account is active.
when that logout my application at the same time logout twitter
twitter api not support this action?
No, the twitter API will not log your users out of twitter.
account/end_session only ends the current API Session. I'm working on an site that requires users to be able to log out and then log back in again with another twitter account. To do that, you have to store multiple access tokens per user and establish one as the current access token. More info in the link below.
http://groups.google.com/group/twitter-development-talk/browse_thread/thread/02e44b27d7ba3661?pli=1
As far as signing out of twitter, it's up to the user to sign into twitter and sign out themselves, which is not ideal if working on a shared computer.
Twitter just closing the session at api ,not close the session on Twitter :)
You'll have to call account/end_session to end the session of the authenticated user on twitter.
Old thread agreed, I just integrated Twitter login in my android app using Fabric. I found the following method
com.twitter.sdk.android.Twitter.logOut
I guess they have implemented it now! I couldn't find any documentation, honestly I've not put too much time into it. But I think logout means what I think it means :)
Twitter does not have api for logout. You can use the session closing api to end the user session.
You can use oauth/authenticate or oauth/authorize and add "force_login=true" parameter. This will prompt the user with a login form.
view this thread