I want to include Facebook Connect in a Cakephp app that I'm working on. Right now, I'm trying to implement auto-login with Facebook Connect. I'm able to start a new login session by writing stuff to $this->Session whenever a user's Facebook Connect status is "connected", so I've got the first half of the feature working. The problem comes when the user tries to log off. Like The Run Around demo app, I've got a linke like this:
<a onclick="FB.Connect.logout(redirect_to_logout_action)">log out</a>
The logout action clears the login session variable, but on the next page, the user is still logged in to my site, but not Facebook. The user can log out of my site if he hits the log out link again, so I'm thinking that when he first tries to do this, he gets a new login session on my site, because facebook_client()->get_loggedin_user() is still returning something. Am I doing something wrong here? I thought when my server got the logout request that the Facebook cookies would be cleared by FB.Connect.logout :?
Have your javascript first do:
FB.Connect.logout
Then
location.href="/logout.php";
And on logout.php have
session_destroy();
session_start();
As abales said, I would ensure that whatever logout action is being redirected to calls the following method against the CakePHP Session component:
$this->Session->destroy();
That should eliminate the Cake/PHP session. After that, redirect to whatever controller+action is appropriate for a user that isn't logged in.
allyourcode,
I had similar issues in an app I built several months ago. We were using the Facebook component (like the one found here: from http://savarino.net/facebook-cakephp).
If I recall correctly, we ended up building a logout method that looked something like this:
$logout_url = $this->Facebook->facebook->get_logout_url('http://' . $_SERVER['SERVER_NAME'] . $this->webroot);
try {
$this->Facebook->facebook->expire_session();
} catch (Exception $e) {
$this->Facebook->facebook->set_user(null, null);
$this->Facebook->facebook->clear_cookie_state();
}
$this->redirect($logout_url);
I'm sorry I cannot be more specific. It's been several months since I've been back inside that app (and several projects since then) but, hopefully this will point you in the right direction.
Seth
Related
I'm unable to login to my own subscription. When I try to login the page shows next error: "Your account has been locked. Contact your support person to unlock it, then try again.". The URL of this page looks like https://login.microsoftonline.com/[ANOTHERORG].onmicrosoft.com/oauth2/..., but I do not work in ANOTHERORG anymore and I want to login into my own subscription.
The ID of my own subscription should be f77b7b54-c38f-44e0-a471-95a4914cf742. I tried to login multiple times from incognito windows of different browsers and for some reason it tries to login into ANOTHERORG instead of my own. BTW, I used the same email address to login into ANOTHERORG and my own so I do not understand what the problem is, I think Azure should suggest to select which subscription I want to login to. How can the problem could be solved? How can I login into f77b7b54-c38f-44e0-a471-95a4914cf742 ?
Also I'm unable to create issue using https://azure.microsoft.com/en-us/support/create-ticket/ because of the same problem: it tries to login to ANOTHERORG which I do not have access anymore
I hope people from Microsoft are read questions on stackoverflow and will help to solve my problem
Finally I was able to find solution: I opened link https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade which was mentioned in https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/troubleshoot-sign-in-issue. From here I was able to change my default directory (Switch Directory -> Set your default directory dropdown). Now when I open portal.azure.com it opens my own subscription without an issue.
I am using angular-oauth2-oidc with Identity Server 4.
Users need to Login via OpenId Connect Implicit Flow. My Id and Access token are stored in the web browser localStorage.
When user opens multiple browser tabs and then user logs out from one of the tabs, how should I handle rest of the tabs?
I have tried to catch session_terminated events , and they try to log the user out. However, it does not redirect the user back to the login page.
this.oauthService.events.filter(e => e.type ==='session_terminated')
.subscribe(e => {this.oauthService.logout();})
any suggestions? thanks
Interesting. It was on my to do list to see how this works with the library anyways.
I had already created a dedicated playground example repo that was perfect for testing this. What I found was that there are two distinct scenarios:
The user goes to the IdentityServer themselves, and click log out
The user does a Single Sign Out via our own app
Only in the first scenario do you get a session_terminated event. In the second scenario (which you seem to have) you get a session_error event in the second tab because the first tab:
Clears your stored tokens
Redirects you to the log out page (where you still have to click log out)
You can see as much in these screencaptures:
Scenario 1: log out explicitly in a third tab
Scenario 2: log out from the app
So I think your solution is to also hook into session_error, or something similar.
Footnote: thinking some more about the above, I reckon that other workarounds might also be possible by listening to localStorage events, and notice when the access_token is being cleared by another tab.
This is what the OIDC session management spec is all about. You can be notified on the client side when their IDP session changes/ends and then react accordingly.
http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
Works well, doesn't have any network overhead and gives you full control over what to do when the condition is detected.
I've experienced a similar issue: using angular-oauth2-oidc with default storage (sessionStorage) leads to the behavior that if a user opens a new Tab (Tab B), he is being logged-in again with a new Token. When he logs-out on Tab A, the token stored in sessionStorage of Tab B is still there, of course.
Using localStorage has the disadvantage that the token is persisted even if the browser is closed (kinda "keep me logged in").
What I've done to overcome this is using an own OAuthStorage that internally uses sessionStorage but if the user logs out, it sends an event to all other open Browser-Tabs and triggers a clearing up of the session-storages there.
See the accroding gist
You can check if access_token is invalid in localstorage or sessionStorage
#HostListener('window:storage', ['$event'])
onStorageChange(e) {
if (e.storageArea === localStorage) {
else if(e.key === 'access_token' && !e.newValue && !this.oauthService.hasValidAccessToken()) {
this.authTokenService.logout();
}
}
}
I'm using Keycloack in my angularjs app for login and its working fine.
But after the login in the application when ever a user tries to do a page refresh (F5) the application will logout and it will show the login page to the user.
Can someone please let me know what can be cause of this issue?
I got where is the issue ,please find attached screen shot
So i checked the Keyclock documentation and they wrote
The next execution is a subflow called Forms. Since this subflow is
marked as alternative it will not be executed if the Cookie
authentication type passed. This subflow contains additional
authentication type that needs to be executed. The executions for this
subflow are loaded and the same processing logic occurs
So considering above documented statement i made changes in keyclock server as well and it worked
currently i'm trying to implement the opauth plugin for cakephp found here using the facebook strategy at present. I've followed the instructions however when I attempt to login using my facebook account I am redirected to the login page. What I have noticed is that the authentication is occurring and successful using this->Auth->login($user) where $user is an array of the user's stored information, but on redirection, the login function of my UserController is called an I'm returned to the login page. Any ideas? Thanks in advance!
So I figured it out. Turns out its a config setting, I noticed it while staring at his commit comments on github. In the config of the plugin the default option for the callback transport was changed from session (losing the session was my issue) to post. The change can be seen here. After making that change to the config everything worked.
I decided to write a personal blog engine on Google App Engine.
But I really do not like the idea of adding a login button somewhere. How can I still do admin things, i,e, post an article, delete a comment and etc, without a login button?
One ugly solution may be not showing the login button but still proviing the login url which you can type in manually to login. There is not much difference. I don't like this one.
Any one know some other ways around this? I've seen many blogs without the login button, how do they implement this?
UPDATE:
One offline solution may be using the remote_api provided by App Engine, that is somewhat applicable and I'm considering using it. But you always need the App Engine Toolkit to do it. So it might not be as portable as an online version in which case every thing you need is just a modern and the network connection.
You can restrict access to a specific resource of your application by using the login option in app.yaml handler definition:
- url: /admin
login: admin
script: admin.app
Then using the Users API you can easily check on your main page if the current user in is an admin, and decide to show or not a link to this protected resource:
if users.is_current_user_admin():
# render link to /admin