I am using the oauth method in order to allow a user to sign into my website with Twitter and Facebook. I also plan to add Yahoo! and Google as well such as Stack Overflow does. Once the user logs in with Twitter successfully they have the option of logging out.
I want to make it to where when the 'Log out' button or link is selected, the user is logged out of my site AND TWITTER. I need it to log out of Twitter also in the case that the user is accessing my website and not Twitters. How do I do this?
Demo and example at: develop.f12media.com
The user clicks on 'Login' at the top of the page to log in with their Twitter account.
Redirecting the user to http://twitter.com/logout will probably work.
But don't do it. OAuth isn't meant to behave that way. Just log the user out of YOUR site.
Logging in to your site via OAuth doesn't necessarily log them in at Twitter, so logging out via your site shouldn't log them out either.
In Facebook it can be done easily because facebook provides logout.php and it takes next=sendBackURL as param.
so when user clicks on Logout button of your application, we can just invoke above logout URL, which will log out the user and smart facebook URL next=sendBackURL will send to your application login page.
But the above seems difficult in twitter, but I think if I do the same, then user will be on Twitter site but he will be logged out of both ur application and twitter.
so it can be by sending authorize?force_login=true, it will be called or will get redirection just after your application logs out user from your site, and user will be directed to Twitter again, I have tested it logs out user from twitter, although it will ask twitter credentials again, but no issue, user can just ignore that.
If Twitter can also provide some logout url, which takes next URL, it will be easy.
Whether or not the user is authenticated on the Twitter site is between the user and the Twitter site. You don't have access or control to that. You only have control over your auth token for that user on your site. You could expire the user's auth token when they log out of your site, but that only affects their Twitter authentication through your site. All that would accomplish is making it so they have to authenticate with Twitter again the next time they log into your site.
I think you're trying to accomplish something you don't need to here. This is the expected flow of OAuth and you shouldn't be worrying about logging the person out of a 3rd party site.
Related
Ok, so i have created a facebook login for a website.
The site has a user account overlay. When the user has a std account the user checks are simple as i am querying my own server. Each page load I run 'isUserLoggedIn()'..
However, if the user logs in with facebook.. things get a little different.
What if the user logs out of facebook? Am i expected to logout the user from my website? If so this would require a call to facebook each and everytime a page was loaded.. what ahve other people done with scenarios like this?
I was thinking that I could check every tenth server request to see if the user is still logged in with facebook?
Or do people not bother and only log the user out of their site when the user specifically logs out of the website?
I am always reading about Facebook and Twitter logins for someones website.
The integration using one of theses services is okay, but my questions is how can I access both API´s for one user.
Example:
User is logged in on my website (active session). Now he somehow has to grant me access to his user details etc. on facebook AND twitter. How do I realize that? I don´t want him/her to type in his facebook or twitter credentials everytime he logs in to get his access token (oAuth).
How do I get my own oAuth user access token after using my websites login, so I can interact with Facebook and Twitter´s API.
Is this correct?
Thank you very much, if you can help me.
Facebook
When someone logs into the Facebook account, they stay logged in until they actively log out.
The way to test for this is:
FB.getLoginStatus(function(response){
if response.status === 'connected'{
// The user is logged in
var access_token = response.authResponse.accessToken;
// Do whatever you need to do
} else {
// Get the user to log in
}
});
See here for more details:
https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
Twitter
The process is a little more complex for Twitter, but if you only want to display tweets, consider Web Intents.
Otherwise, follow these steps:
https://dev.twitter.com/docs/auth/3-legged-authorization
Both platforms have the ability to check whether or not the user is logged in first, so you shouldn't have to worry about someone having to log in every time they use your site. However, you cannot use the same oAuth token on both sites - you must get a separate one for each.
Each individual API will need a popup to authenticate, which will redirect to the appropriate api for authorisation, and then once you have the token after the authorisation redirects back to your popup.
You will then end up with a token that you can pass back to the calling page "window.opener" and store the token for that api in a Javascript variable by alling a Javascript funcation on the main page.
window.opener.getInstagramData("self", oauth_token);
Each authentication needs to have its own token and needs to be a button that the user should click on.
I am using this method to get Facebook, Twitter, LinkedIn Foursquare and GooglePlus account info.
Hope this helps.
I've developed a Facebook app (with iframe) using CakePHP. I get some Facebook user info when the app opens and display a form to send SMS free.
So, the user must be authenticated in Facebook before continuing in the app.
I'm using the Facebook SDK php (Copyright 2004-2008 Facebook. All Rights Reserved.)
How could I avoid Facebook to redirect to my own site when the user has lost the auth session?
Are you having the user use the FB login popups, and the FB authorization code?
Not sure if this will work for your situation, but on the loginURL code, you can pass in a redirect_uri that could point to a page that you want them forwarded to after they complete the login and the authentication procedure.
$url = $facebook->getLoginUrl(array('scope'=>'offline_access,publish_stream,email',
'redirect_uri'=>'https://www.mysite.com/mysite/'));
Hope that's what you were looking for.
I understand everything in the question except the last line. What do you mean by:
How could I avoid Facebook to redirect to my own site when the user has lost the auth session?
If you are using facebook for login credentials, then you are required to redirect to your own site. This is a facebook security rule and you can imagine why it exists.
For anything fancy, you'll want to use the facebook "server-side" flow. It's fairly straight forward:
http://developers.facebook.com/docs/authentication/
I've set up a facebook login for my site, using the faceboko php-sdk example.php method. It's working fine, but I want a user who has already allowed my site once to be automatically logged into my site, if they're logged in facebook.
Currently, if a user who has previously 'allowed' my application visits my site while logged in with facebook, they need to click login with facebook, then they are redirected and logged-in. Even though after that click, they don't need to provide any credentials or anything. Thus I would just like this step to be removed and for a user to be automatically logged in.
I hope that makes sense. Thanks
This is discussed on their site.
http://developers.facebook.com/docs/guides/web/#login
Facebook Platform uses OAuth 2.0 for
authentication and authorization.
While you can add login to your site
using OAuth 2.0 directly (see our
Authentication Overview), the open
source JavaScript SDK is the simplest
way to use Facebook for login.
[...]
In order to log the user into your
site, three things need to happen.
First, Facebook needs to authenticate
the user. This ensures that the user
is who they say they are. Second,
Facebook needs to authenticate your
website. This ensures that the user is
giving their information to your site
and not someone else. Lastly, the user
must explicitly authorize your website
to access their information. This
ensures that the user knows exactly
what data they are disclosing to your
site.
http://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/
By testing for the presence of the
session object within the response
object, you can be sure the user is
known to your application and you can
begin to make further calls to the
Facebook APIs. If the session object
is not present, the user is either not
logged into Facebook, or has not
authorized your application.
http://developers.facebook.com/docs/authentication/
Check the client side flow section to see when you get the authentication token you need to be passing around.
If the user is already logged in, we
validate the login cookie that we have
stored on the user's browser,
authenticating the user. If the user
is not logged in, they are prompted to
enter their credentials
I have a facebook application in my website. When someone is already logged in to my website, I have the offline_access of his facebook account, but when I put a like button, it always asks for login to facebook again.
Everything else works, like printing the posts, photos, etc. But the simple action of liking something, doesn't. How can I make it work using the php-sdk api?
I'm presuming that you have just used the like button code from here. What's happening when they click that button it's not going THROUGH your website but rather taking a bit with it to facebook. So it takes your URL to facebook and they do the whole posting bit... therefore if the client is not logged into facebook it'll ask them to login.
What you can do is use a curl posting script through your website and that should post whether they are logged into the facebook main site or not provided they logged in with the offline_access.
Please tell me if you need more information or if I have mis-interpreted what you meant.
Regards,
Jon
I guess you are misunderstanding the behavior of the offline_access permission:
Enables your application to perform
authorized requests on behalf of the
user at any time. By default, most
access tokens expire after a short
time period to ensure applications
only make requests on behalf of the
user when the are actively using the
application. This permission makes the
access token returned by our OAuth
endpoint long-lived.
This would mean, even if the user is logged off, your application will still have access to it's account BUT this DOES NOT mean that you can capture/monitor if the user is back on your website again until he is logged to his FB account again.
So offline_access will never know if the same user is currently on the page and "automatically" log him to his FB account!