Here is my issue.
The site I am responsible for gets millions of page few per month, many from social media apps.
We are seeing an increased trend in customer service complaints along the lines of "I need to login every time I visit your site".
After some detective work, it seems that this problem is occurring mainly for people visiting from social media apps.
So it looks like this:
Someone logs in on their native browser.
Sometime later they visit the site again via a link on Facebook.
They are asked to log in again... frustration ensues.
Has anyone encountered anything like this and is there a way to share native browser cookies with social media apps? We can't be the first to have this issue.
Related
I'm working on an app that (for now) is essentially a WebView wrapper over an existing website.
There are social logins there, but when you click on them in the context of the app, the oAuth providers say the WebView user agent is not allowed. This is because in 2021 oAuth stopped allowing social logins via WebViews due to the risk of key-logging. I messed around with spoofing the user agent, but that both felt wrong and also didn't work for all social logins.
What would you recommend doing in this situation? My goal is to somehow allow people to log in with Google/Facebook. I'm open to ideas - e.g.
implementing native login solutions and passing tokens back to the main site the WebView
opening an external browser and doing the login action in this higher security area
Where I'm having trouble is the specifics of making this all connect together. If anyone has any experience here, I'd love to hear from them.
I am developer and maintainer of an Angular web app which uses Google OAuth. This works normally.
Last week the app users (me including) started receiving standard Security alert emails from Google (no-reply#accounts.google.com) on a daily basis. The Email says "Appname was granted access to your Google account". This is of course bad signal to the users.
When clicked on "Check Activity" in the Email it always says:
Unrecognised device
X hours ago
Unknown (location)
This is the case for all users tested on many different devices and IPs.
Recently I have upgraded from Angular 5 to Angular 7 if that might help.
Also recently I noticed absolutely the same behaviour when I sign-in to Dropbox using a Gmail. The application I am responsible for is not storing session data for privacy reasons so the users are asked to Sign-in with Google every time they want to use the app. I noticed this behaviour just a week ago (devices and locations not recognised) by Google.
The google group (https://groups.google.com/forum/#!forum/oauth2-dev) redirected me to Stackoverflow. Any help is much appreciated! :)
We are sending notifications to users when they approve certain scopes. That list is expanding and more apps will see the notification.
Thanks for the feedback. Looks like the unrecognized device was an issue and we have rolled back that experiment.
Ideally an app should see the notification only once and for non basic scopes (basic scopes being email, profile etc).
Our web app allows users to log in via Facebook. Technically, we are using Facebook OAuth2. We have implemented this login process two years ago. It worked fine until 13th November 2015 but since that day it does not. When our server sends the request
https://graph.facebook.com/oauth/access_token
with appropriate parameters (client_id, redirect_uri, client_secret, code), the response from Facebook has HTTP status 400. The response body is a HTML page saying "Sorry, something went wrong".
On 13th November, there was some problem on Facebook probably.
I have found the following message:
http://www.independent.co.uk/life-style/gadgets-and-tech/news/facebook-down-site-breaks-for-many-people-though-not-for-everyone-a6732906.html
However, our server still gets this error response after a week. We have an instance of the system deployed in the production environment and one more instance in the test environment (with different Facebook account, i.e. with different client_id and client_secret). Currently, Facebook login works fine in the test environment. I am not sure if it worked on 13th November.
Do you have any experience with recovery from such problem? Why does Facebook login work in test environment and does not work in the production environment in the same app? Why did the production instance break on a particular day and is still broken a week later?
Thanks for any help.
I had the same issue. I believe that the issue stems from passing in invalid scope in your authentication requests. Try removing the scopes in your authentication request to see if that works.
One more corner case I found in 2022:
In the App Dashboard, if you choose Facebook login for Business, same error happens. It will go away as soon as you select Facebook Login one.
Finally, the issue was resolved by restarting the servlet container (Tomcat 7). However, I have no idea why.
All of this is using exclusively the login button. Not the API serverside and not FB.login(). It would work for me sometimes and sometimes not and I couldn't figure out why. I would open a new window and it may work, or may not - but it seemed like once broken it was broken.
There appears to be an issue when using the Chrome 'Device simulator'.
Looking at the SDK Javascript (that's to say the SDK that the Facebook Login button uses) it checks to see if the device is a 'touch' device and if so it will use the m.facebook.com domain when requesting the oauth token.
This domain fails m.facebook.com:
However if the mobile device mode isn't activated when the page loads then it uses www.facebook.com and succeeds:
So for me the current workaround is:
Assuming you are developing with the console active.
When you need to reload your page press Ctrl + Shift + M to deactivate the mobile device mode.
Refresh the page
Once the button has initialized press Ctrl + Shift + M to reactivate it again.
If you see m.facebook.com then you didn't do it fast enough, or maybe you're using something like Angular with hot reload and you need to manually refresh.
I have built a website that uses Facebook, Google, Yahoo, Twitter and standard email/password for account signup. It all works fine on the web but my client wants to make the website an app. I've been experimenting with using webviews with appcelerator and it looks like it will work well. The problem is the websites session will expire after 30 minutes or so. The client wants to be able to stay logged in and prevent the users from having to re-loging in all the time.
I'm thinking I need to store the login details and automatically re-login when the session has expired. Would this be the best way to handle this?
I think this is solved. I've going to use asiviero's suggestion.
I have had the facebook connect set up for over a few months and have done a lot of testing on it and everything seems to be working correctly. Suddenly when I try to login using the php facebook sdk I get redirected to the following page https://www.facebook.com/help/258359927634494
It seems to let me login on occasion, but it usually redirects to this page. I assume my app was reported however we only have a few test users at this time as we are in beta and I stopped my app from asking for repeatedly for post permissions a while back as soon as I was aware it was doing that. What can I do to clear up the report?
This message appears when an app loads the login dialog many times in a short duration. Make sure you are only loading the dialog once per user. Until this redirect behavior is tweaked to be me more lenient, try waiting ~30 seconds between tests.