Google Auth don't show popup if logged in - javascript

In scenario 1 the user is not logged into our app and is not logged into google in their browser. This shows them a pop up and tells them to log in to google and then tells them to authorize our app.
However, in my scenario, the user is already logged in and already has authorized my app. I log them in automatically but the problem is that the popup keeps appearing each time.
Is there a way to call the signin of google api without having the popup show?
Thanks in advance.

Since you marked this question as Javascript, I guess you must be using the oauth 2.0 through Google APIs Client Library for JavaScript.
https://developers.google.com/api-client-library/javascript/
In this page, https://developers.google.com/api-client-library/javascript/features/authentication.
Checkout the Auth example section, when you make the call gapi.auth.authorize(params, callback), set the param immediate to be true, so that the token is refreshed behind the scenes and no UI is shown to the user.
Checkout this page to see more details about the method gapi.auth.authorize(params, callback).
https://developers.google.com/api-client-library/javascript/reference/referencedocs#gapiauthauthorize

Related

How can I prevent early popup closing when using chrome.identity.launchWebAuthFlow?

I'm calling chrome.identity.launchWebAuthFlow from a background script of my Chrome extension.
This is used to get implicit user authentication with https://login.microsoftonline.com
The sign in popup appears fine allowing for user credential input. However after credentials are submitted the window is not redirected to my callback redirect uri. Instead it redirects to another page (which is some kind of corporate signin page within Microsoft Azure AD) which does not require user's action.
At this very moment the window gets closed and I get undefined response in launchWebAuthFlow callback function. At the same time I get console error: Unchecked runtime.lastError: Authorization page could not be loaded.
The same flow works fine from the browser window: after credentials provision and redirect to the corporate signin page, it's finally redirected to my redirect url (with auth token ready).
From this I conclude that launchWebAuthFlow is not waiting till redirect is done to my redirect page but closes popup prematurely.
Is there a way to prevent this?
I spent too much time at this but found a workaround.
Still not sure why launchWebAuthFlow behaves like this. But I decided to resolve otherwise.
This double redirection happens because Microsoft auth page first requires plain e-mail address input. This allows it to decide which corporate auth page to redirect to. This happens even if it reuses the current session (cookies).
So I looked for a way to shortcut the route and give the first auth page a hint about what corporate page should go next. For this you have to add one more parameter to the url used by launchWebAuthFlow:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
?client_id={client-id}
&response_type=token
&login_hint=user#domain.com
&prompt=login
&redirect_uri={redirect-uri}
&scope={some-scope}
Please note, that I had to add prompt=login as well. It works without it from the browser (actually even faster with alive session). However, this is needed if called from chrome.identity.launchWebAuthFlow
Hope this will help somebody in similar situation.
More details here: Microsoft identity platform and Implicit grant flow

Facebook Javascript SDK new access token in the background

How can I refresh a long lived facebook access token in the background? From the facebook documentation
Even the long-lived access token will eventually expire. At any point,
you can generate a new long-lived token by sending the person back to
the login flow used by your web app - note that the person will not
actually need to login again, they have already authorized your app,
so they will immediately redirect back to your app from the login flow
with a refreshed token - how this appears to the person will vary
based on the type of login flow that you are using, for example if you
are using the JavaScript SDK, this will take place in the background,
if you are using a server-side flow, the browser will quickly redirect
to the Login Dialog and then automatically and immediately back to
your app again.
What I'm trying to reconcile is that in order to get a new access token you need to have the user login. In order to login, you must call FB.login(). According to the documentation, a user should click a button in order to login.
As noted in the reference docs for this function, it results in a
pop-up window showing the Login dialog, and therefore should only be
invoked as a result of someone clicking an HTML button (so that the
pop-up isn't blocked by browsers).
How can you refresh a long lived access token in the background with the facebook javascript SDK?
You can only refresh a User Token if the user visits your website: Use FB.getLoginStatus for that. You do not need to use FB.login - it would only work on user interaction (click event) anyway, because browsers usually block the popup if you try to call it automatically.

Why doesn't FB.login delete the logout cookie?

I have a problem with Facebook authentication logic:
On home page load, I call getLoginStatus() and if I get "connected", I redirect the user to his account page. If not, the user can click the login button that calls FB.login().
If the user is logged in and then navigates back to home page (full page load), getLoginStatus() there returns "connected" as expected and user gets bounced back to account page.
However, when the logged in user calls FB.logout() and repeats steps 1-2, the 2nd step will always yield "unknown" login status. So, FB.logout() basically breaks my bouncing logic.
I checked the mechanics of login/logout calls and it appears FB.logout() creates a fblo_<appId> cookie with 1 year expiration that blocks getLoginStatus() from returning the proper status. This seems to be the actual mechanism for keeping people logged out, which I can understand. What I can't understand, though, is: why this cookie is not deleted on a successful FB.login() call?
I fixed it myself by programatically deleting the cookie fblo_<appid> in callback functions of both FB.login() and FB.logout()
I was experiencing this a few days ago but I'm not seeing the issue any more.
In either case make sure you consider these different scenarios when testing:
A person logs into Facebook, then logs into your app. Upon logging out from your app, the person is still logged into Facebook.
A person logs into your app and into Facebook as part of your app's login flow. Upon logging out from your app, the user is also logged out of Facebook.
A person logs into another app and into Facebook as part of the other app's login flow, then logs into your app. Upon logging out from either app, the user is logged out of Facebook.
https://developers.facebook.com/docs/reference/javascript/FB.logout/
Debugging tip:
In the Application tab in Chrome you can select Cookies in the left panel and then type fblo into the search box to filter by that name. When I call FB.login and successfully authenticate I see that the fblo cookie disappears - so I believe this issue fixed.

How can I get notified in my website if user log out from facebook in other tab using javascript?

I have integrated facebook login in my website using javascript SDK.
Now, if user logged out in other tab, how would my website come to know about it?
Please help.
There are several ways to do this. Here are a few:
Checking via the JavaScript SDK if the user is still logged in
Cookies / Local Storage
Catching errors everytime the JavaScript SDK is called by not assuming that the user is still logged in or with the right permissions

Facebook Javascript Canvas Login Redirect

I am building a facebook canvas application and want users, when they visit "apps.facebook.com/myApp", to be presented with the appropriate login dialogue immediately instead of showing my canvas page without having been logged in. With all the different login flows, I am confused!
Using javascript, how do I do this? Do I set the default canvas page to be a page with a script with a redirect url in it?
You should not immediately present them with the login dialog, it is best practice to show some intro screen with information about your app first. Else there is only a small authorization information and no use will really know what the app is about. Then let the user click on a "Login/Use/Start/..." button to present the authorization popup with the FB.login function of the JavaScript SDK:
https://developers.facebook.com/docs/reference/javascript/FB.login/
If you really want to require user authorization right at the beginning, user the PHP SDK:
https://github.com/facebook/facebook-php-sdk
See "$facebook->getLoginUrl()" - just redirect to the resulting URL if the user is not logged in.

Categories

Resources