I have the following scenario:
User logs in with Facebook connect (devise, omniauth)
User starts browsing around the site
User logs out from Facebook
User can still browse around. <-- how can I prevent this from happening?
I basically want to redirect the user to the login page if he is logged out from Facebook
I'm using Rails 3.1 with devise, omniauth.
I think you have a misconception here. Once the user has granted your app privileges to access the Facebook profile--either by virtue of being logged into Facebook in another browser tab, or by explicitly logging into Facebook when redirected--then the OAuth handshake it done and your user is authenticated. The authentication state is now kept locally with your app; you presumably have a session cookie with the user_id, which Devise will handle for you.
The Facebook login on the browser is only necessary to log in, not to authenticate each single request.
You could presumably run the OAuth handshake on every single request, but that would be a lot of performance overhead, and also Facebook may rate limit you.
What is the business case for this scenario? Why do you think you want this?
Related
Setup Overview
I am using B2C custom policies for sign-in flow in react application using msal-react and msal-browser packages. The user is able to log in properly for the first time after entering credentials. Now when the user clicks logout, B2C logout popup shows up and it goes away instantly without asking the user to choose an account which is expected because the user is signed in with only a single account. The user is redirected properly.
Doc followed - [https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md
Issue
After successful logout, which seems to be happening properly as the UnAuthenticated template executes after login. When the user presses login again, it does not ask for any credentials, and user is signed in again which is a security issue. I am not sure what am I missing now. I have gone through all the MS docs multiple times and GitHub issues but did not find a solution
Flow:
Before First login - Session Storage and Cookies are empty,
After login - Session Storage has values and Cookies have 2 entries - x-ms-cpim-sso and x-ms-cpim-csrf
After logout - Both are cleared with no values
Click login again, values from step 2 come back in. But if you don't click login and try different app routes, it shows Unauthenticated template which has login button. So seems like user was correctly logged out
A few questions and helpful information
Is azure ad B2C considered as social sign in (federated entity) or is it considered a local account like Azure AD
I have read here that it does not assume logout from social IDP but I am not using anything other than B2C. In this GitHub, it also mentioned it is expected behaviour but how do I logout properly so that user is asked for credentials again. [https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2547
After pressing logout, if user is signed out from B2C as the app executes Unauthenticated template instead of Authenticated, how is it able to sign in again without any credentials.
Please guide me to solve this issue
In my play 2.2.4 application, using securesocial 2.1.3 module for authenticating the user via social login(google, facebook,linkedIn). Finally I want to logout the user from social site. For logout I use the following call.
GET /logout securesocial.controllers.LoginPage.logout
But the social site is not get logged out.
what is this the correct way of doing logout?
You can't log out from an external provider. That is not supported and I would advise against it. Your users won't expect to be logged out from Facebook for example if they decide to log out from your app.
I'm using Google OAUTH2 for my website. I can successfully login using the google authentication.
Here is what I want to do is:
1) user goes to website homepage and user signs in by clicking "sign in with google" and login is successful and user is taken to logged user dashboard page.
2) user comes back after half hour, user goes to home page and they should get automatically redirected to logged in user dashboard instead of homepage since they already have a valid session.
question - how can you detect if the user is already logged in? Should I be storing the access_token in the session to detect this? what's the recommended way to acheive this with Google OAUTH2?
Yes, you can store the access token in the session, but keep in mind that it could be expired. You should be able to get a new one with an immediate request.
You could also try and do session synchronization from JavaScript, if your site does not have its own session management:
https://developers.google.com/+/web/api/javascript#gapiauthchecksessionstatesessionparams_callback
I implementet Google+ Sign-In API in the root page of my app. It automatically signs in user if user is signed in to google, then API automatically signs him in to my app. The problem is that when user logs out of my app, he is redirected to root page which logs him back in, since he still is logged in to google.
You can see the whole code here: https://developers.google.com/+/web/signin/
wierd, they have "See also, signing the user out of your app."
link, but it's broken :(
Any ideas?
This is similar to this question:
Preventing automatic sign-in when using Google+ Sign-In
You could use a cookie that is set when the user is logged in on your site. If the user is logged in, indicated by the presence of the cookie, allow the user to automatically get redirected into your site. If the user is not logged in, require that the user click the sign-in button before you hide the button and redirect them to the signed-in experience. To log the user out, delete the cookie.
How I can determine that user is logged in to facebook but not authenticated my facebook web application using php sdk. I know we have $user = $facebook->getUser(); but this only check that user authenticated the app or not. I want something like FB.getLoginStatus
the user is logged into Facebook and has authenticated your application (connected)
the user is logged into Facebook but has not authenticated your application (not_authorized)
the user is not logged into Facebook at this time and so we don't know if they've authenticated your application or not (unknown)
Want to determine second condition using php sdk i.e. of not_authorized but logged in to facebook
The PHP SDK on it’s own has no way of knowing that.
The JS SDK can make cross-domain calls to have Facebook check if there is an active session under their domain. From server-side alone there is no way of doing something similar.
I want something like FB.getLoginStatus
And why not use just that, and pass the info on to the server? (Cookie, AJAX, …)