it seems that this method doesn't work for logging out the user from an app on facebook, i dont want to log the user from facebook itself like with getLogoutUrl, only from the app.
if the user uncheck the email field on the dialogue box the first time he log in with facebook, he needs to logout from the app, in order to log in again without unchecking the email field, so he have a second chance of signing in to my site.
this method doesn't work anymore:i'm on php SDK V4
setcookie('fbs_455857397897935','', time()-100);
// kill the session
session_destroy();
455857397897935 is the app id
You could try to revoke users login using graph API
DELETE /{user-id}/permissions
Quoting from docs:
You can also let people completely de-authorize an app, or revoke
login, by making a call to this Graph API endpoint:
DELETE /{user-id}/permissions This request must be made with a valid
user access token or an app access token for the current app. If the
request is successful, your app receives a response of true. If the
call is successful, any user access token for the person will be
invalidated and they will have to log in again. Because you're
de-authorizing your app, they will also have to grant access to your
app as if they were logging in for the first time.
Hope this helps your usecase.
Related
I integrated my website with the Linkedin OAuth api to retrieve the basic profile settings, and it is the only way to log in to my website (so logging in should go through Linkedin each time). The user has to grant permissions upon login. But this now happens on every login; I cannot manage to make Linkedin remember that the user has already granted access (so what I want is that the second time for it to just redirect back to my site automatically)
I receive an access token at every successful login, I save it in the database but can't find a way to use this in a subsequent request (I'm not even sure if this is how I'm supposed to do it?)
The endpoint I am using to login is:
"https://api.linkedin.com/uas/oauth/authorize?oauth_token=" . $token
Where $token is an oauth token
Please tell me how to make the subsequent requests without Linkedin asking permissions
thanks
You can try using php cookie or SESSION and setup expired date to next few years,
so every user visit your site your system will check into database with token which saved on cookie or SESSION, only this method can use if you don't want redirect user to linkedin page every they visit your site.
The oauth_token is only good for so long. You should be getting a new token each time you use the API not storing it in your database. Here is a link to the linkedin oath
https://developer-programs.linkedin.com/documents/getting-oauth-token-php
I am using the facebook JS sdk to login a user. These are the steps that I follow:-
1) I use the FB.login(...) to get the details of the user.
2) Now, after receiving the details from Facebook, I send a POST request using jQuery's $.post(..) function to a php page say FBUser.php with the parameters - name,uid(Facebook User Id),email and access_token for publish_actions.
3) Now in the FBUser.php page, I do all the stuff like converting the short-lived-token to long-lived and then I check that if the uid received is present in my users table. If it is not, I create a new user, else I log in the old user. Today, I just realized that I was making such a big security compromise because anyone can send a POST request to the FBUser.php page with a uid of an existing user and get access to his account. But, on the other hand I am sure that some big websites also use the JS SDK. So obviously, I am wrong somewhere. What would be the correct procedure to log in the user securely and preventing his account getting hacked?
You should match the app and user id first, then you should check the access token, like this:
graph.facebook.com/debug_token?input_token={token-to-check}&access_token={app-token}
You can get the app token from https://developers.facebook.com/tools/accesstoken/
You can get the uid of the user using the access token that was sent to you, by using this token to access Facebook graph and query "/me".
You shouldn't relay on the uid that is sent by the client. My application only receives the access token and gets the rest of the data from a server-to-server call.
I've noticed some people storing token and secret key in a user table after a user connects the the app using facebook login.
But I was just wondering, are these values changed constantly or not? Also, are they there to keep the login live or anything?
The Facebook API uses OAuth 2.0. Once a user has granted your application privileges to their account, FB sends you an authorization token that your application needs to store. The reason being is that you need to send that token every time you make a FB API request on behalf of that user. FB checks to see if the token is still valid and if it is then it allows the request to be processed (E.g. making a post to the user's wall).
If you look at the Graph API Explorer, you will notice the "Access Token" field at the top. Click the "Get Access Token" button to generate one for your own account so you can make test calls on behalf of yourself.
I am always reading about Facebook and Twitter logins for someones website.
The integration using one of theses services is okay, but my questions is how can I access both API´s for one user.
Example:
User is logged in on my website (active session). Now he somehow has to grant me access to his user details etc. on facebook AND twitter. How do I realize that? I don´t want him/her to type in his facebook or twitter credentials everytime he logs in to get his access token (oAuth).
How do I get my own oAuth user access token after using my websites login, so I can interact with Facebook and Twitter´s API.
Is this correct?
Thank you very much, if you can help me.
Facebook
When someone logs into the Facebook account, they stay logged in until they actively log out.
The way to test for this is:
FB.getLoginStatus(function(response){
if response.status === 'connected'{
// The user is logged in
var access_token = response.authResponse.accessToken;
// Do whatever you need to do
} else {
// Get the user to log in
}
});
See here for more details:
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
Twitter
The process is a little more complex for Twitter, but if you only want to display tweets, consider Web Intents.
Otherwise, follow these steps:
https://dev.twitter.com/docs/auth/3-legged-authorization
Both platforms have the ability to check whether or not the user is logged in first, so you shouldn't have to worry about someone having to log in every time they use your site. However, you cannot use the same oAuth token on both sites - you must get a separate one for each.
Each individual API will need a popup to authenticate, which will redirect to the appropriate api for authorisation, and then once you have the token after the authorisation redirects back to your popup.
You will then end up with a token that you can pass back to the calling page "window.opener" and store the token for that api in a Javascript variable by alling a Javascript funcation on the main page.
window.opener.getInstagramData("self", oauth_token);
Each authentication needs to have its own token and needs to be a button that the user should click on.
I am using this method to get Facebook, Twitter, LinkedIn Foursquare and GooglePlus account info.
Hope this helps.
I've set up a facebook login for my site, using the faceboko php-sdk example.php method. It's working fine, but I want a user who has already allowed my site once to be automatically logged into my site, if they're logged in facebook.
Currently, if a user who has previously 'allowed' my application visits my site while logged in with facebook, they need to click login with facebook, then they are redirected and logged-in. Even though after that click, they don't need to provide any credentials or anything. Thus I would just like this step to be removed and for a user to be automatically logged in.
I hope that makes sense. Thanks
This is discussed on their site.
http://developers.facebook.com/docs/guides/web/#login
Facebook Platform uses OAuth 2.0 for
authentication and authorization.
While you can add login to your site
using OAuth 2.0 directly (see our
Authentication Overview), the open
source JavaScript SDK is the simplest
way to use Facebook for login.
[...]
In order to log the user into your
site, three things need to happen.
First, Facebook needs to authenticate
the user. This ensures that the user
is who they say they are. Second,
Facebook needs to authenticate your
website. This ensures that the user is
giving their information to your site
and not someone else. Lastly, the user
must explicitly authorize your website
to access their information. This
ensures that the user knows exactly
what data they are disclosing to your
site.
http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
By testing for the presence of the
session object within the response
object, you can be sure the user is
known to your application and you can
begin to make further calls to the
Facebook APIs. If the session object
is not present, the user is either not
logged into Facebook, or has not
authorized your application.
http://developers.facebook.com/docs/authentication/
Check the client side flow section to see when you get the authentication token you need to be passing around.
If the user is already logged in, we
validate the login cookie that we have
stored on the user's browser,
authenticating the user. If the user
is not logged in, they are prompted to
enter their credentials