Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Facebook Oauth Logout

I have an application that integrates with Facebook using Oauth 2.

I can authorize with FB and query their REST and Graph APIs perfectly well, but when I authorize an active browser session is created with FB. I can then log-out of my application just fine, but the session with FB persists, so if anyone else uses the browser they will see the previous users FB account (unless the previous user manually logs out of FB also).

The steps I take to authorize are:

  1. Call [LINK: graph.facebook.com/oauth/authorize?client_id...]

This step opens a Facebook login/connect window if the user's browser doesn't already have an active FB session. Once they log-in to facebook they redirect to my site with a code I can exchange for an oauth token.

  1. Call [LINK: graph.facebook.com/oauth/access_token?client_id..] with the code from (1)

Now I have an Oauth Token, and the user's browser is logged into my site, and into FB.

  1. I call a bunch of APIs to do stuff: i.e. [LINK: graph.facebook.com/me?access_token=..]

Lets say my user wants to log out of my site. The FB terms and conditions demand that I perform Single Sign Off, so when the user logs out of my site, they also are logged out of Facebook. There are arguments that this is a bit daft, but I'm happy to comply if there is any way of actually achieving that.

I have seen suggestions that:

A. I use the Javascript API to logout: FB.Connect.logout(). Well I tried using that, but it didn't work, and I'm not sure exactly how it could, as I don't use the Javascript API in any way on my site. The session isn't maintained or created by the Javascript API so I'm not sure how it's supposed to expire it either.

B. Use [LINK: facebook.com/logout.php]. This was suggested by an admin in the Facebook forums some time ago. The example given related to the old way of getting FB sessions (non-oauth) so I don't think I can apply it in my case.

C. Use the old REST api expireSession or revokeAuthorization. I tried both of these and while they do expire the Oauth token they don't invalidate the session that the browser is currently using so it has no effect, the user is not logged out of Facebook.

I'm really at a bit of a loose end, the Facebook documentation is patchy, ambiguous and pretty poor. The support on the forums is non-existant, at the moment I can't even log in to the facebook forum, and aside from that, their own FB Connect integration doesn't even work on the forum itself. Doesn't inspire much confidence.

Ta for any help you can offer. Derek

ps. Had to change HTTPS to LINK, not enough karma to post links which is probably fair enough.

like image 513
Derek Troy-West Avatar asked May 04 '10 10:05

Derek Troy-West


People also ask

Is OAuth Facebook log in?

OAuth2 dominates the industry as there is no other security protocol that comes close to the adoption of OAuth2. In case you're wondering what OAuth2 is, it's the protocol that enables anyone to log in with their Facebook account. It powers the “Log in with Facebook” button in apps and on websites everywhere.

Where is client OAuth settings in Facebook?

In your Facebook app configuration, click on the Settings tab on the left-hand navigation menu. Then go to the Advanced tab at the top and scroll down to the Client OAuth Settings section.

Does Facebook automatically log out?

Install Facebook Auto-Logout here. The add-on is enabled by default. From now on, when you close the Facebook window, the add-on will log you out. It will also log you out after 60 seconds of inactivity, which might not be enough for you.


2 Answers

I am having the same problem. I also login using oauth (I am using RubyOnRails), but for logout, I do it with JavaScript using a link like this:

<a href="/logout" onclick="FB.logout();">Logout</a>  

This first calls the onclick function and performs a logout on facebook, and then the normal /logout function of my site is called.

Though I would prefer a serverside solution as well, but at least it does what I want, it logs me out on both sites.

I am also quite new to the Facebook integration stuff and played around the first time with it, but my general feeling is that the documentation is pretty spread all over the place with lots of outdated stuff.

like image 111
Christoph Avatar answered Oct 10 '22 22:10

Christoph


This works as of now - and is documented on facebook's site @ http://developers.facebook.com/docs/authentication/. Not sure how recently it was added to the documentation, pretty sure it wasn't there when I checked Feb-2012

You can programmatically log the user our of Facebook by redirecting the user to

https://www.facebook.com/logout.php?next=YOUR_REDIRECT_URL&access_token=USER_ACCESS_TOKEN

like image 25
russau Avatar answered Oct 10 '22 23:10

russau