开发者

FB auth.logout is being raised after being logged in using the "server-side-workflow" (OAuth 2.0)

NOTE: Our (web) application was working fine until we upgraded to the Oauth 2.0 workflow this past weekend.

When a user "connects with facebook" to our (web) application we log them in to Facebook using the "server-side-workflow" described in the Facebook Authentication docs. However, Facebook is raising the auth.logout event when the user gets to their home page in our application which contains the following javascript code:

window.fbAsyncInit = function() {
    FB.init({appId: 'XXX', status: true, cookie: true, xfbml: true, channelUrl: 'http://XXX/fbchannel.html', oauth: true}); 
    FB.Event.subscribe('auth.logout', function(response) {
        logout();
    });
};
(function() {
    var e = document.createElement('script');
    e.type = 'text/javascript';
    e.src = document.location.protocol + '//connect.facebook.net/en_US/all.js';
    e.async = true;
    document.getElementById('fb-root').appendChild(e);
}());
function logout(){
    new Ajax.Request('http://XXX/logout');
}

It appears that while the user is logged into Facebook, t开发者_如何学Pythonhey are not logged into our application (if you have facebook.com open in a 2nd tab of your browser and re-load the page after being logged in by our application you will see that you are indeed logged into facebook.com).

Is there an additional step in OAuth 2.0 that needs to be taken to log the user into our application when using the "server-side workflow" that wasn't necessary in the previous version of OAuth? Does the user have to explicitly login via facebook after being connected?

Any help would be much appreciated.

Thanks in advance, Jason

PS- Logging into our application via the client side flow (after you've previously connected) works just fine. It's only when connecting and being logged in via the server side workflow do we experience the auto-logout problem.


For ajax pages you need to get the uid, access_token, and or code from the browsers session.

This is standard for iframes and ajax for clickjack prevention, and other security risks. SEE: https://www.rfc-editor.org/rfc/rfc6749#section-10.13


QUICK AND DIRTY EXAMPLE:

<?php
// be sure to exchange YourAppId, with your app id. 

if(isset([fb_YourAppId_user_id])){
$user = [fb_YourAppId_user_id];
}else { // no user, send to login flow. }

if(isset([fb_YourAppId_access_token])){
$access_token = [fb_YourAppId_access_token];
} else { // no user, send to login flow }

?>
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜