After a user has already accepted the auth dialog, he should not have to accept it again. However, when including the contacts scope (https://www.google.com/m8/feeds/) and asking for offline access, the user has to accept a 2nd auth dialog in order to sign in. The first auth dialog does not ask the user for offline access, whereas the 2nd dialog does. Here are the repro steps:
Put a sign-in button on the page that triggers the following javascript call to gapi.auth.signIn():
var myParams = {
'clientid' : 'myClientId',
'cookiepolicy' : 'single_host_origin',
'callback' : 'handleAuthResult',
'scope' : 'https://mail.google.com/ https://www.google.com/m8/feeds/ https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile',
'accesstype' : 'offline'
};
gapi.auth.signIn(myParams);
function handleAuthResult(authRe) {
console.log(authRe);
}
Click the sign-in button once, you will see an auth dialog with all of the permissions except for offline access. Click "Accept" and handleAuthResult receives a valid access token.
Click the sign-in button a 2nd time, and you will be prompted to grant offline access. Click "Accept", and handleAuthResult receives a valid access token. However, the user should not have to click "Accept" a 2nd time.
Click the sign-in button a 3rd time, and you will NOT be prompted to accept anymore permissions. The auth dialog quickly opens and closes, and handleAuthResult receives a valid access token.
I do not want to make returning users have to accept a 2nd auth dialog. Ideally, the offline access permission should appear in the 1st dialog.
I have also noticed that this only happens when I include the contacts scope (https://www.google.com/m8/feeds/). Removing that scope does not trigger the 2nd auth dialog that asks only for offline access.
Any help on how to get around this? Is this a bug on Google's end?
As I understand it this is expected behaviour. If you request offline access, the user will always be prompted to authorize offline access when they authenticate. Offline access and automatic subsequent logins are not compatible together.
Related
When I use FB.logout() the user gets logged out fine, but then the next time I do FB.login() it logs in the last user without the option to enter in new credentials. I can't find any information on how to forget the previously signed on user. Is there a parameter I can pass into logout or login that would forget the previous user?
I found out that the behavior I wanted could be achieved by deleting the users permissions with the following snippet before logging the user out.
FB.api(`/${fbUserId}/permissions`,
'delete',
{access_token: fbUserAccessToken})
Possibly the question is being solved somewhere, but I can't find the solution.
The problem is following:
There was created Facebook application for web-sites. Application ID: 838914722867595
All setting were set to "public" for the application. I.e. the status is "This app is public and available to all users"
When trying to get user info with not application owner account with "FB.api('/me', ... " I've got an error:
{ status="not_authorized", authResponse=undefined}
{ message="An active access token must be used to query information about the current user.", type="OAuthException", code=2500}
I need only Facebook user ID.
Calling of "FB.api('/me', ..." is wrapped into "FB.getLoginStatus( ..."
Doing the same with application owner account returns the expected user info results.
{ authResponse={...}, status="connected"}
{ id="1395024780825585", first_name="Evgeny", gender="male", more...}
The url with implemented Facebook JS: http://www.doc4net.com/download/2459616413282
Here is the screenshot of the app setting.
Please, advice
The issue is solved.
Facebook "Like" button DOES NOT provide application permissions on login. Even it is calling the login dialog.
So, first the one is need to be logged in with "Log in" button, which rises the login dialog with requesting to allow application permissions to read facebook user info.
Only after using "Log in" the "Like" button works properly.
I have deployed Google+ Sign-in Button, now I have to provide Sign-Out Button, before that, I need to know whether the user is still signed in, by which I can then show or hide this button.
I found this documentation: gapi.auth.checkSessionState(sessionParams, callback):
https://developers.google.com/+/web/api/javascript?hl=en#gapiauthchecksessionstatesessionparams_callback
Could someone demo how to use it ?
Many thanks.
gapi.auth2.getAuthInstance().isSignedIn.get()
This returns boolean
You don't need to use a separate function call to determine the user's signed in state if you've already added the sign-in button. The sign-in button's callback is going to trigger either on sign-in, when the page loads, or any time that the user's signed-in status changes. The page load trigger (immediate mode), will also help to indicate if the user is a Google signed-in user or not.
See monitoring the user's signed in status, which shows the different status fields that you can check (Google signed in, app signed in, or signed out).
From Google dev docs :
If you pass null to sessionParams.session_state, you can check if the user is signed in to Google, whether or not they have previously authorized your app.
So your code will be like this:
gapi.auth.checkSessionState({session_state: null}, function(isUserNotLoggedIn){
if (isUserNotLoggedIn) {
// do some stuff
}
});
This is an example of how to use it:
gapi.auth.checkSessionState({client_id:'99999999999.apps.googleusercontent.com'}, signinCallback);
where client_id is the id of your project on g+ console. and siginCallback is a function i created to check the state.
IT'S VERY IMPORTANT to notice that the official api documentation says:
If the argument is true, the supplied session_state is still valid. If the argument is false, it is no longer valid and the application should perform a new re-authorization flow with immediate set to true to get an up-to-date access token or detect a non-authorized or nonexistent Google sign-in session.
But when i recive the response of checkSessionState i get true value when im signed off and false when im signed in. I Dont know if there was an error on the documentation but you can try it by yourself.
Hope this has been helpful for you.
PD: excuses for my awful english
Adapted from Tom Anthony's Blog
One simple way you can use without the use of an API to see if a user is logged into Google + (Or Google/Facebook/Twitter) is to try to access a resource which they would only be able to access if logged in. The code below attempts to load an image resource for which the user needs to be authenticated to access. By default html <img> tags run onload() if an image is successfully returned, but onerror() otherwise.
<img style="display:none;"
onload="function(){document.getElementById('signOutButton').style.visibility = 'hidden';}"
onerror="function(){document.getElementById('signOutButton').style.visibility = 'visible';}"
src="https://plus.google.com/up/?continue=https://www.google.com/intl/en/images/logos/accounts_logo.png&type=st&gpsrc=ogpy0"
/>
I set up an app to allow users to log into my site using Facebook. When users click the FB login button, the expected auth dialog appears. My auth dialog shows a second page which says: "This app may post on your behalf, including status updates, photos and more."
But my app doesn't need any extended permissions, and will not be posting anything to Facebook. I don't want this second page to appear, but I can't figure out how to make it go away.
On my app's settings page, I didn't specify any extended permissions. Is there someplace else I have to specify that I don't want extended permissions?
Thanks for the help.
You might have specified a scope in the "Login with Facebook" button that requests these permissions from the user. Especially if you just copy-and-pasted an example from the documentation, this might have happened.
Check in your HTML whether you have something similar to this:
<div class="fb-login-button" scope="publish_stream">
Login with Facebook
</div>
If so, make sure to get rid of the scope attribute.
I am in the middle of making an app using a PHP web service to log users in/authenticate their credentials.
I am using localStorage (part of phonegaps local storage API) to ensure the user doesnt have to keep logging in when they open the app. This is done by storing the username and password on local storage and checking it when the app opens. If they feel the need to log out I have a simple logout button binded to a tap event which clears their local storage.
$( '#logout' ).live( 'tap',function(event){
window.localStorage.clear();
$.mobile.changePage("#loginPage", {transition: "none"});
});
BUT... when logged out, they are still able to click the back button on the phone and get into the secure area, which doesnt make sense because the "welcome, (username)" part is all messed up etc...
Im wondering if there is a way to ensure that what ever page they open does some sort of check to make sure theyre logged in??
Bind into the pagebeforeshow event of the pages to check if the user is logged on - check if credentials are present in local storage.
If user is not logged on you can either call preventDefault to stop the pageChange or better redirect the user to a loggedOffPage by modifying the toPage passed into the handler.
Refer the Page change events section on JQM Events page.