When implementing Google login into a website, the 'select_account' prompt can be set in order for the user to select a different google account. (Force google account chooser)
Does Facebook offer something similar? I can't seem to find it if they do. The issue I'm running into is if the user selected "Keep me logged in", they can never switch and login with a different Facebook account without going to Facebook and logging out first.
Related
I am able to logout and login but there is 1 particular scenario which I am not able to achieve.
Scenario:-
User logs in using federated social login (Google), using hosted UI directly.
Now the user clicks on logout it directs it to AWS Cognito logout URL
https://xxxxxxx.auth.us-east-2.amazoncognito.com/logout?
response_type=token&client_id=xxxxxxxxx&logout_uri=https://abc/logout.html
it logs out the user success and successfully redirects the user to logout page as mentioned in URL.
Now when the user tries to log in again by a different account, he is forced to use his previous google login only.
I want to have such functionality that user can log out and log in again if he wants then he can log in with the same account or with different depend on choice.
The important point to note is I can't use AWS-Amplify or any javascript framework, only plain javascript.
The reason you are always forced to log in with the same user seems to be that the /logout? endpoint only logs out the user on Cognito, but Cognito does not communicate to Google that it should log you out of your device. Thus, every time you sign back in and the Google Authentication screen is launched Google still remembers the device and sees that you're still logged in. As a result, the redirect URI is triggered without you ever being prompted to choose a new account.
I'm running into the same issues on a React Native project, but have yet to find any evidence that Cognito offers an endpoint to force it to also sign you out of the Identity provider (i.e. Google).
PS: Here's another stackoverflow discussion with more info: AWS Cognito - How to force select account when signing in with Google
One of the responses in that thread mentions calling Google's logout endpoint directly as part of the signout flow. It's definitely not pretty, but since you're using plain Javascript it might be a sufficient solution.
If you find a cleaner solution please make sure to share it, as I'd be interested to hear what you find :)
Well, I got it working but I don't think so its an issue but a kind of behaviour that every developer should know who is trying to integrate google login in the there application. Here are the few scenarios I am have checked and their respective behaviour.
My AWS Cognito Login URL
https://xxxxxxx.auth.us-east-2.amazoncognito.com/oauth2/authorize?
identity_provider=Google&redirect_uri=https://xxxxxx/login.html&response_type=TOKEN
&client_id=xxxxxxxxxxxxxxxxx&scope=phone%20email%20openid%20profile
My AWS Cognito Log out URL
https://xxxxxxxxx.auth.us-east-2.amazoncognito.com/logout?
client_id=xxxxxxxxxxxxxxxxxxxx
&logout_uri=https://xxxxxxxxxxxxx/logout.html
By using the above URL when I log out, I don't get logged out from chrome browser.
This behaviour is an issue for many people
So when your chrome browser has only 1 account logged in, at that time AWS Cognito google login won't redirect to a page where you can select the different user, because you have only single user through which it gets logged indirectly.
Found out how we can show multiple logins:- So if you want another user to log in then he needs to first sign in chrome browser, and when he clicks on google login from the website at that time he will be able to select user, as in chrome we have now 2 users logged in google, from where he can select which user want to use for access.
I won't be accepting this as an answer because it's not how everyone want this behaviour, will wait for few days if someone can suggest better way.
I think so, for now, we have to go with this.
I made a website using Django.
The only way to log into it is the facebook login.
When I had to submit my app for review in the facebook developer console. They are asking me testing id and password. Since the only way to login is facebook, and it won't work till they test.
And they are asking how to open this website for testing. It's kind of a loop.
Is there another way out?
I don't want to use other ways of logging in (is in accordance with my idea)
I believe you can test your app with your own login credentials according to Facebook:
You do not need to submit your app if it will only be used in
Development Mode by you or someone with a role on your app. Any
account listed in the Roles tab in your App Dashboard, such as admins,
developers, and testers, can use all permissions but will only be able
to access their own data, that of test users, and test pages belonging
to them.
You can use any of these accounts to test your app and create a
screencast.
See this similar answer.
When I logout the user in my application with Google IAP authentication by visiting the /_gcp_iap/clear_login_cookie the user is prompted to the Google account selection page, but if I open a new tab and visit my website, the user is still logged in.
Any chances I am missing something?
Clearing the cookie does not change the fact that the user is still logged into Google Accounts. When the user goes to your website again, opens a new tab, etc. the user is still authenticated with Google and therefore is still authenticated with Google IAP. When a user is authenticated with their Google Account, they are authenticated will all services that use that identity provider for authentication.
The solution is to logout the user from their Google Account, but this affects all sites/accounts and not just your site. This is a bit draconian for most users. Maybe a better choice is to not offer the ability to logout of your site since you do not control the authentication (login/logout) process.
Google has an issue tracker for this item:
https://issuetracker.google.com/issues/69698275
I am implementing "login with facebook" feature using php sdk, i am able to grab user profile details. But after that user remains logged in. Suppose user is accessing my site and after using "login with facebook" features he leaves immediately, then next person sitting there can use(misuse) previous persons account.
1)How can i automatically logout user after fetching what i needed (I dont want to show user "facebook logout" button).
2) Is there any way i can only logout user from my app and not facebook logout ? (i mean if user is already using facebook in another tab then it should only logout users facebook session from my app.)
Assuming all the usual security measures are in place (session timeouts apply to FB logins, doesn't leak FB data across distinct PHP sessions, logging out of your site clears FB session data or moves to a login/front page with no FB access), websites with Facebook integration generally don't bother securing their FB integration on a per-request basis. It's the user's own fault if they leave a browser window open and logged into your website, there's not a lot you can or really should do about that kind of mistake.
All that being said, you can call getLogoutUrl and then redirect the user to that URL to log them user out of the current session, OR you can use the JavaScript SDK's FB.logout(). Both options are mentioned here.
When I am logged into my Google account and I search anything on Google,
these days if it is a blog or a profile, Google shows the name of the owner. and also tells me if I am connected to that person.
I can understand if Its a blogger blog where the author might be having a Google+ account which I am connected to.
But under my Facebook friends account in Google search results.
It reads "You are connected to XYZ on Facebook" on hovering over is name.
Is it because I told Google Plus about my other profile links, ie Twitter and Facebook ?
I don't think connections are accessible under Graph API without any access token and I don't remember giving Google any such permissions.
It is likely due to your logged in facebook session. If this is active, it will show up on websites allowing you to comment on certain things, from the random website, straight onto facebook. Or like it, etc etc.
Google is most likely just using your logged in session.
If you dont like such features (I personally hate facebook apps on websites ), you can block them using script blocking addons for your browser.
I.e. https://addons.mozilla.org/en-US/firefox/addon/noscript/
The Google dashboard at https://www.google.com/dashboard list what Google knows about you, under the section "Me on the Web" I believe you can adjust what twitter/Facebook profiles are linked to you Google account. I don't have any so I'm not %100 sure but a good place to check.