Reputation: 473
Logout/switch-user on Facebook after deprecation of Offline Access Permission
With Facebook deprecating offline access permissions on May 1st, web applications can easily extend the duration of OAuth access token (for 60 days).
But if the application is on the web and wants to provide a "Switch user" option, most often a logout -> login, then the access token are invalidated, and there is no substitute at all for offline_access anymore.
Question: is there a way to keep valid access tokens (for 60 days) but still allow logout or multiple users to login on a single browser or a way to "force login prompt" when requesting login (for Facebook to offer Switch user on the login page)?
Or are we encouraged not to offer a logout option anymore?
Upvotes: 3
Views: 1713
Answers (2)
Reputation: 1906
It's possible this won't work for security reasons, but have you tried constructing the logout URL without specifying an access token? That is, for example:
If you're using the PHP SDK, either write your own version of the
getLogoutUrl(...)method or just pass in an empty access_token like$facebook->getLogoutUrl(array('access_token' => ''));If you're using the JS SDK, you will not be able to use
FB.logout(), which requires an access token. Instead, you could provide your own:
FB.provide('UIServer.Methods', {
'auth.logout': {
url: 'logout.php',
transform: function(a) {
var xdRelation = FB.UIServer.getXdRelation(a.params);
a.params.next = FB.UIServer._xdResult(a.cb, a.id, xdRelation, true);
return a;
}
}
});
If you execute the above code, in theory it should change the behavior of FB.logout to no longer pass an access_token. Fair warning: I haven't tested it myself. Otherwise, just send the user to http://facebook.com/logout.php?next=SOME_URL and see if that works without an access_token.
Upvotes: 1
Reputation: 164147
I ran some tests and it looks like no matter how I obtain the access token, server side flow, or client side flow, even if I have two tokens (from both flows), when I call FB.logout() (I assume that this is how you log the user out) all tokens get invalidated.
It seems to me that you'll have to choose what functionality you prefer to have, switch user or long lived valid token, unless of course I'm missing something.
I can however offer you a work around, it's not ideal, as most work arounds, but it might let you enjoy both worlds: In your UI, where you give the user the option to logout in order to switch users, just tell him to log out of facebook manually, then when he clicks your log out, just log him out of your system without using FB.logout. That way the access tokens you have for that user won't get invalidated and a different user will be able to log in.
Upvotes: 1
Related Questions
- How to deal with the removal of offline_access when managing a page?
- Facebook OAuth offline login
- Sensible solutions to the removal of the offline_access permission
- Deprecated offline access in Facebook
- Is offline_access removed?
- How to handle Facebook's deprecation of offline_access when you use token both in both iOS app and a server
- How would offline_access work after deprecation after May 1st?
- How to handle logout now that offline_access is going away?
- Permanent read access to a user's Facebook stream since offline_access was deprecated?
- Logging out of Facebook invalidates offline_access token