Clever Geek Handbook

Logout / switch to user after offline access permission has expired

As of May 1st, Facebook web apps are dropping offline access permissions , web apps can easily renew the OAuth access token (within 60 days).

But if the application is on the Internet and wants to provide a "Switch user" option , most often logout β†’ login , then the access token is invalid and there is no substitute for offline_access at all.

Q: Is there a way to keep valid access tokens (for 60 days) but still allow logins or multiple users to log into the same browser, or a way to "force login prompt" when prompted for a login (for Facebook to prompt Switch on the login page )?

Or are we encouraging you to no longer offer a logout option?

+3


source to share


2 answers


I have done some tests and it is similar to how I get the access token, server side stream or client side stream, even though I have two tokens (from both streams) when I call FB.logout () (I I assume this is how you register the user) all tokens become invalid.

It seems to me that you will need to choose which functionality you prefer, toggle user or durable valid token, unless of course I'm missing something.



However, I can offer you a job, this is not ideal as most work, but it can allow you to enjoy both worlds: In the UI where you give the user the option to log out to switch users, just tell him to log out of facebook manually and then when it hits your logout, just log out of it without using FB.logout. This way, the access tokens you have for this user will not be invalidated and another user can log in.

+1


source


This might not work for security reasons, but have you tried building an exit URL without specifying an access token? That is, for example:

  • If you are using the PHP SDK, either write your own version of the method getLogoutUrl(...)

    , or just go through an empty access_token like$facebook->getLogoutUrl(array('access_token' => ''));

  • If you are using the JS SDK, you will not be able to use FB.logout()

    which requires an access token. You can provide your own instead:



FB.provide('UIServer.Methods', {
    'auth.logout': {
        url: 'logout.php',
        transform: function(a) {
            var xdRelation = FB.UIServer.getXdRelation(a.params);
            a.params.next = FB.UIServer._xdResult(a.cb, a.id, xdRelation, true);
            return a;
        }
    }
});

If you run the above code, it should in theory change the behavior of FB.logout to not skip access_token anymore. Fair warning: I haven't tested it myself. Otherwise, just push the user to http://facebook.com/logout.php?next=SOME_URL

and see if this works without access_token.

+1


source






More articles:


All Articles