Logout/switch-user on Facebook after deprecation of Offline Access Permission

3
votes

With Facebook deprecating offline access permissions on May 1st, web applications can easily extend the duration of OAuth access token (for 60 days).

But if the application is on the web and wants to provide a "Switch user" option, most often a logout -> login, then the access token are invalidated, and there is no substitute at all for offline_access anymore.

Question: is there a way to keep valid access tokens (for 60 days) but still allow logout or multiple users to login on a single browser or a way to "force login prompt" when requesting login (for Facebook to offer Switch user on the login page)?

Or are we encouraged not to offer a logout option anymore?

2
facebookfacebook-graph-apioauth
Let me ask you this: What are you doing if the user hasn't engaged with your app in 60 days and the token expires? What I'm getting at is that I think that you're encouraged to use tokens that are given to you by user interaction.Nitzan Tomer
Sure, we just consider the user is not active anymore if the token expires. But in the scenario I am highlighting, switching user could make the token expire after just a few minutes while the use only wanted to logout from the session on her/his browser.Nicolas Grasset

2 Answers

1
votes

I ran some tests and it looks like no matter how I obtain the access token, server side flow, or client side flow, even if I have two tokens (from both flows), when I call FB.logout() (I assume that this is how you log the user out) all tokens get invalidated.

It seems to me that you'll have to choose what functionality you prefer to have, switch user or long lived valid token, unless of course I'm missing something.

I can however offer you a work around, it's not ideal, as most work arounds, but it might let you enjoy both worlds: In your UI, where you give the user the option to logout in order to switch users, just tell him to log out of facebook manually, then when he clicks your log out, just log him out of your system without using FB.logout. That way the access tokens you have for that user won't get invalidated and a different user will be able to log in.

1
votes

It's possible this won't work for security reasons, but have you tried constructing the logout URL without specifying an access token? That is, for example:

  • If you're using the PHP SDK, either write your own version of the getLogoutUrl(...) method or just pass in an empty access_token like $facebook->getLogoutUrl(array('access_token' => ''));

  • If you're using the JS SDK, you will not be able to use FB.logout(), which requires an access token. Instead, you could provide your own:

FB.provide('UIServer.Methods', {
    'auth.logout': {
        url: 'logout.php',
        transform: function(a) {
            var xdRelation = FB.UIServer.getXdRelation(a.params);
            a.params.next = FB.UIServer._xdResult(a.cb, a.id, xdRelation, true);
            return a;
        }
    }
});

If you execute the above code, in theory it should change the behavior of FB.logout to no longer pass an access_token. Fair warning: I haven't tested it myself. Otherwise, just send the user to http://facebook.com/logout.php?next=SOME_URL and see if that works without an access_token.