This is kinda hard to explain. I'm building an application on android which is supposed to be used in a meeting in like a "stand" so people would submit some feedback after the meeting. Please notice there's a bunch of people who is going to use this application on the same device.
The application is gonna be used from different users on the same device and all of them are supposed to login with their Facebook account before continuing. For security reasons, I would love to have a way to distroy a Facebook session after a poll is submitted or simply, every time a new poll is issued, when the user is requiered to login on Facebook, I would like to force Facebook to prompt an authentication dialog (username and password again) even though there's an active session.
I've looked everywhere and I have found nothing. I know there's a way to request on Facebook a extensed permission to logout, but please notice this permission needs to be approved after logging in, so if a user, after logging in, just decide not to approve this permission, this session is going to be there until a browser is opened and a logout is performed from the Facebook site.
I've also thought on destroying a browser cookies but I don't know if is there such a permission on the android SDK to perform this.
Please, if any body has any idea on to get rid of this issue, I would really appreciate any suggestion or work around.
I believe you can do this with the Facebook SDK for Android 3.0 (beta).
You can turn off SSO (by using the SUPPRESS_SSO behavior) which should bring up a web dialog every time. And once the user is done interacting with your app, you can just call session.closeAndClearTokenInformation()
Cookies are not preserved when using the dialog login.
Related
There are many questions & answers related to the subject, but very few specific to Facebook's Android 4.x SDK.
What I want to do is, after I call LoginManager.getInstance().logOut(), I want the user to have to re-authenticate in order to create a new AccessToken.
I am seeing that after I call LoginManager.getInstance().logOut() I am not prompted for credentials the next time I call LoginManager.getInstance().logInWithReadPermissions(...).
Anyone know how to force LoginManager to have the user re-authenticate?
The Facebook process confused me for ages as it doesn't appear to be clearly explained, and as you point out, most of the questions are for SDK 3.
But as far as I can see the only way that the user needs to re-authenticate is if they go to
Facebook->Settings->Apps
and in App Settings click remove for the app.
If they have approved the App for login once then no matter what happens with the App on the Android device, provided that you follow the correct usage of LoginManager, it never prompts the use to re-authenticate.
I am new to authenticating through social networks on android so pardon me. I created activity with which i can login through facebook and google. I am planning to do this : user comes first time, ask him to login through Google or Facebook, once he does, let him go to other activities. How do i handle scenario when user closed and restart my app. I want my app to work both offline and online.
Method 1 : I am planning to store a bit in my sqlite DB which notes that whether user signed in through any social network, if he done then go ahead. Don't open login page multiple times and directly give user access to other pages. Problem with this approach is that if i want user to publish on his wall then i need to get him log in again before publishing (if session token expires). Rest seems fine. Also i will provide him a sign out button with which i will clear this bit for next time login.
What do you guys think about this approach? How other people does this in their apps with multiple activities. Assuming this approach works fine if we don't need to access facebook/google again and just need to get basic user data to let him login. Drawback, even he remove my app from his facebook/google account, i give him full access until he logout.
Method 2: Always on app start i check if facebook has session.isOpen() or myGoogleClient.isConnected(). If any of this gives true, i let user go in my app. Make sure with what network user logged in and show him log out button of that network. This check will only come when user restart his app. Once user login, does he always logged in or he see lot of login pages? I feel this approach is better.
Do i need to check for session open condition on each activity when transactioning through activities?
Any suggestions what approach is used by different apps. I want my app to be accessed for data in offline mode, but still let user access online feature when he is online.
Even when he is logged in with google, i want him to publish on his wall with facebook login, so will ask him to do so if he clicks on publish button, this way at times i have both logins and will chose any on them.
Please show me directions. I tried to find this on net and reached to above conclusions, but not able to finalize on right approach.
I am calling
s.closeAndClearTokenInformation();
s.close();
Session.setActiveSession(null);
Which are the only methods I see that appear to reset a user's login, however, upon my next cycle through my app and call to Session.getActiveSession() I do not get a login dialog and the pre-existing token is utilized.
I'm not seeing anything in the documentation about logging a user out (I only see options for how to present them with a log-out button, which doesn't work for our use case).
Would really appreciate some advice on this.
When you call closeAndClearTokenInformation, it will clear your app's local cache of the token information that's associated with the user.
When you create another session AND you open it AND you use SSO AND the Facebook app exists on the device AND the user is not logged out from the Facebook app, then the app will silently authorize your app again without requiring further user interaction. This is by design (since when they authorize your app, the authorization is active unless they explicitly revoke access).
What is your use case where you want to see user interaction for subsequent session open calls?
You log out, but you didn't revoke the access, so when opening again, it logs on and see that it is authorized to it.
I don't know how it's done in the new API, but check this out Facebook API SDK revoke access
Hope it helps.
I'm a bit confused about how facebook.logout(context) works.
Because even after calling log out, I am able to get access to information that requires an auth_token. So how is that even possible? I came across this topic, which let me a bit confused: https://stackoverflow.com/a/6597688/487940
After reading that answer, this is my question: So if the user grants access to [my] application, he will always be authenticated if he is logged into the [official] facebook application? Even if I try to call facebook.logout(context) in [my] application, he will be logged in and my application will be able to make calls to Facebook API?'
Sorry, about I'm not able to understand this behavior.
UPDATE: After reading Torid's reponse, I am confused about facebook.logout() function. What is the purpose of this function if it does not log the user out? Because, I don't see the purpose of calling this purpose anymore. It doesn't log the user out.
There are two independent things going on here: 1) whether your user has authenticated your app (with permissions) to Facebook and 2) whether your user is logged in to Facebook.
Authentication is required the first time your user uses your app and lasts until the user explicitly de-authenticates (e.g. through the Facebook web Account Settings -> Apps -> App Settings).
Log in may be required each time your user starts your app. But if you use the default SDK authorize(), that tries to do a Single Sign On (SSO), where if the Facebook app is logged in, your app is automatically logged in and uses the existing access token.
If you are using SSO, when you do a logout, that has no effect, as a real logout would have to log out the Facebook app - which the user might not like!
You can get around this behavior by doing an authorize of the form
authorize(this, PERMISSIONS, FORCE_DIALOG_AUTH, new LoginDialogListener());
which avoids SSO and forces a dialog login. Of course, that then forces your user to login each time you start your app - unless you save the login details / access token under the
covers (which is what the SDK does - check the source).
I'm just starting to use Facebook SDK for Android and I'm wondering if there is a way to link it to the actual Facebook android app itself.
What I mean is when I'm logged in in Facebook official app, I would like Facebook.isSessionValid() to return true and not get into the login with password process.
Is that possible or am I dreaming of an unfeasible thing?
That's not possible. The Facebook SDK uses the app if it's installed for authentication. Otherwise it falls back to a WebView based one. This way you don't have to deal with usernames and passwords (and can't get them even if you wanted). It won't ask the user for credentials if he is already signed into the app though.
The user still has to confirm permissions and allow your app specifically for safety reasons.
It would be pretty bad if every app could abuse your Facebook account in the background without asking for permission first.