Reputation: 4538
Omniauth Strategies - Managing multiple users on a shared system
I know what answers are going to be, but I just want to try my luck. Taking Facebook as an example say, I am using omniauth-facebook to allow users to log in to my site. Upon logging in, user may set up some privacy data on this site.
Taking up a scenario, I have 2 users U1 and U2. They both have individually logged in using Facebook at my site and have respectively authorized the app. Now considering a shared system, U1 comes to my site, clicks on Login using Facebook, authenticates herself and everything's okay. U1 leaves but doesn't log outs from Facebook. Now U2 comes, clicks on Login using Facebook and is automatically logged in using U1's credentials. I am not storing user's access_token at any point.
Is there any way I can stop this from happening? The best I can come up with is add an intermediary page, in between authentication from FB and callback at my site, and ask user if this is the intended user from FB for her. If so, continue, else take her to login page. But this doesn't deal with the fact that U2 can still see U1's page.
Any input will be greatly appreciated.
Edit: I am targeting Facebook, Twitter, LinkedIn and Google. So I am looking for a common solution. I know there is a possibility of force-authentication for Facebook and Twitter, but I would like to implement a common solution.
Upvotes: 1
Views: 365
Answers (1)
Reputation: 19203
Facebook (and omniauth-facebook) provides the option auth_type to prevent just that:
use OmniAuth::Builder do
provider :facebook, ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET'],
:auth_type => 'reauthenticate'
end
With this option, the user will be asked to enter his password when he trying to log in to your service using Facebook. Check out the gem's documentation for more information.
One final note: this option only exists for omniauth-facebook. Other OmniAuth providers may have similar options, but others may have none at all. For example, Twitter has a force_login option that when set to true will logout the user from Twitter. Sometimes this is what you want, sometimes it is not. Logging out the user from other services can be quite bothersome. I'd actually like if all providers had these two options so we could choose which one to use (log out the user from the external service OR just ask for the password again) but I guess we'll have to be content with what we have. For example, as far as I know, Google has no protection for this risk.
Upvotes: 1
Related Questions
- Rails authentication strategy
- Custom strategy for Omniauth
- Write a custom OmniAuth strategy
- Devise Omniauth - setup & defining strategies
- How to use and configure omniauth with yahoo, google, facebook strategies in various environments?
- OmniAuth: Guarding against multiple accounts for the same user
- OpenID: How to best associated Multiple OpenID Accounts to one User?
- Managing users with OPA
- Users management strategies with LightOpenID
- Three way omniauth authentications relationship. How to set it up?