I was successfully making an FQL query earlier today. Now when I try to make the same query I am getting the following message.
"error_code":190,"error_msg":"Error validating access token: The session has been invalidated because the user has changed the password."
I am making the query on my own account, and my password has not been changed. Any suggestions for why this may be happening?
Now I am getting this error.
"Error validating access token: Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons."
Based on above comments, this will be this issue.
The Single Sign On (SSO) in Android allows a user to authorise your app, and once they have done that they will be signed straight in on subsequent visits if they've signed in to Facebook for any application on the phone/tablet.
The downside of this is that the SSO remembers the token and if the token becomes invalidated (by a user de-authorising the app or by them changing password or other details), it will try to use it anyway. You MUST check for those two errors specifically as "isSessionValid() will return true, even though it's not. If you catch one of those two errors, you call the authorize method again.
So, in your case, trap that error, and call authorize().
Documentation from Facebook: http://developers.facebook.com/docs/mobile/android/build/#sso
Related
I was integrating azure AdB2c for my native android application, I have used SignInSignUp and
passwordReset userFlow for my current Application. Currently When I'm resetting the password, the password gets changed and redirect to app as expected, but when tries to relaunch the application after some time,MSAL is throwing out an exception ,which is messagecom.microsoft.identity.client.exception.MsalUiRequiredException: AADB2C90088: The provided grant has not been issued for this endpoint. Actual Value : B2C_1_SignInSignUp and Expected Value : B2C_1_PasswordReset . How can I handle during Such situation?
You are using seperate password reset and sign in/sign up flows. This means once the user performs password reset, the tokens are issued for the password reset policy. Later, once the access token expires, the refresh token is used to get a new access token. In this call, you pass in an account object (password reset), but perform the call against the sign in/up authority. This causes an error as the refresh token in the password reset account object can only be used against the password reset authority (policy).
To solve this, you can use the combined sign up/in/password reset journey.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-password-reset-policy?pivots=b2c-user-flow#self-service-password-reset-recommended
I have communicate with API using retrofit. When the user is log in, I save account to database and when the user go to app next time, I get data from database (so I skipped login screen). Problem is when user's token expires.
How to handle the situation?
in login fragment
PSEUDOCODE
user = ... //get user from database
if(user != null) {
startActivityAccountActivity();
}
//onButtonClick
emailLogin();
Don't go to your "logged in" activity just because you have a token saved, because as you have correctly noticed, it may be invalid. Try authenticating with the API when you get the token, and only go to the "logged in" activity if it indeed worked. Otherwise proceed as if there was no token saved (and remove the expired one from the database).
You should also note that the token may expire when the user is in the "logged in" activity. For example, the user logged in, used the app and then went to another app from the recents screen. A week later he/she returns to your app with the "logged in" activity open, but in the mean time the token has expired and nothing will work. So you should also check if the token still works there, maybe in the onStart() of the activity.
As indramurari said, you can also handle it on the backend if you control it. But keep in mind that it doesn't solve your inherent problem of handling expired tokens, a refresh token may also expire and you are back to square one. If you make refresh tokens not expire you can just make the login tokens not expire. (This paragraph would be a comment on his answer, but I don't have enough reputation.)
It depends on your back end security level. You have two options to handle this situation.
Build some mechanism on back end side so that your server will send some refresh-token along with the user's token at the time of login to Android device. Whenever user's token get expired then request from Android device to your server to obtain new user's token by sending old user's token along with refresh-token. And you can use that new user's token for future. Repeat this whenever user's token get expired.
Note - refresh-token is for validating if it is valid resource who is requesting for a user's token.
You can delete the user account from database and tell user to Re-Login.
Hi I'm trying to implement a new app using Parse login with facebook feature.
I followed the Guide to use facebook login feature and all went ok.
Documentation states
Sessions represent an instance of a user logged into a device. Sessions are automatically created when users log in or sign up.
The problem is that I never get a valid session token when ParseFacebookUtils.logInWithReadPermissionsInBackground(...) returns (and signs up) a User which is newly created on the Parse platform (thus User.isNew() is true).
Inspecting the Data dashboard I can see correctly the new _User entry but there's no entry for _Session class, whereas I should find the one with createdWith="signup" for my _User.
As a side effect when trying to logout a newly created user i get a com.parse.ParseException: Parse::UserCannotBeAlteredWithoutSessionError because, obviously, the newly created user doesn't get any session token.
If instead I perform the same operation for the same user after its creation (and therefore the User only logs in into Parse) I get a valid session token and everything's ok (which means there's a _Session object with createdWith="login" associated with the _user object).
Is this a bug or something not expected to occur? Or am I missing something?
Thanks!
Currently using:
facebook-android-sdk:4.0.1 +
ParseFacebookUtilsV4-1.9.1.jar +
Parse 1.9.0 jar
I'm using Parse as the backend.
To check if the user is logged in I use ParseUser.getCurrentUser(). What I don't understand is, if the user changes his password from somewhere else (another device, the web-client), will this ParseUser return with some kind of error?
I don't think it does a check on the server, so I think it just returns the last saved user. This mean that I can continue to use this user (with an old password) or will I get a "wrong credential" response on the first request to the servers?
If I don't get it, will I at least get it when setting an ACL with parseObject.setACL(new ParseACL(ParseUser.getCurrentUser()));?
Try same action on yahoo in 2 open browsers of different types and see what you get?
Each client's been handed a token value by the respective servers and until the token expire will not be prompt for a new logon.
Well IMO Parse work very similar except the lease on Parse token never expire.
Response to the original parse logon contain the token value which the SDK may retain. Details are in the docs section on Rest api / user logon...
So, if a diff client change password but the token lease over on some other client never expire, the other client stays logged in.
My app uses Facebook SDK to post status updates. ALso there is a logout feature. I can login the first time the app is run. I can post status msg in facebook successfully. But once i logout , the subsequent runs and attempts to update status i encounter error from facebook saying "An error occured. Please try again later". I have noticed that the authorize method on subsequent attempts to login ( after the first logout) tries to use the same accessToken and accessExpires ( although i have set them to null and 0 respectively in the logout method) and in turn isSessionValid() method returns true for me. And hence the facebook server throws me this error.
Can anyone please tell me how to fix this bug/issue?
Facebook android SDK sets authtoken and expires_in in shared preferences, so when you logout you need to delete them from there.
Also, any time your app starts you have to validate the saved token making a call to graph api "me", if there is any exception you have to delete saved token and reauthorize. This is because the token might be invalidated (for example when the user changes their password).
hope this helps