|
|
 sootsnoot - 2016-02-03 21:55:42 Our site supports password/email authentication as well as OAuth through 7 different social media sites using this class. Nice job with this class to handle them all! It would be 8, but AFAIK, Aol only supports OpenID, so we use lightopenid for them.
Anyway, we allow users to login to the same account through both email/password and OAuth.
And we have an "Edit Account" page that lets you change your email address and/or password. If you are logged-in through email/password authentication, you have to enter your old password in order to change it to something else. So if you step away from your browser for a minute while logged in, your "friend" can't change your password on you.
But if you're logged in through OAuth, say with Facebook for example, if you step away from the keyboard, someone can change your password because facebook still has a logged-in session for you, and an attempt to authenticate will immediately succeed.
I'd like to be able to force the OAuth authentication to make facebook explicitly re-authenticate the user, or have a way to log out the facebook session explicitly, which in turn would cause the OAuth flow to put up a login page. And similarly for the other OAuth clients if possible.
I don't currently use any "long-lived" access tokens explicitly in this code, I simply observe that if there is a facebook session logged in through my browser when I do Oauth authentication, then it immediately succeeds. And if not, then the OAuth flow requires facebook login. Logging out of facebook directly in a different tab works fine. So if there isn't a fancy way to tell the provider to force re-authentication in the OAuth flow without actually logging out other explicit facebook windows, that's fine, I'm happy to log out those other windows. I just don't know how to do it.
 Manuel Lemos - 2016-02-03 23:59:39 - In reply to message 1 from sootsnootI also have a OpenID client and server class but it was not yet published. It works with the same interface like this class.
It is used to login with sites like Yahoo that does not have an API to provide the user email address.
If you need it, I can also publish it separately.
Anyway, in general I do not tie PHP sessions to OAuth tokens. Tokens are just used to retrieve the user email address and locate the user account on your site.
It is better that your site may carry on even if the user has deleted or disabled his account in some other site used to authenticate the user initially.
If you want to authenticate the user using a new token, you can call the ResetAccessToken and the class will "forget it" thus reinitiating the process when the user need be authenticated.
For many API if the application is still authorized, the browser will be redirected to the API server and will return immediately with a new token authorization code.
Some API allow revoking previous application authorization, so you can force the user to authorize your application again, but there is no standard way applied by all APIs, despite RFC 7009 exists to standardize that.
sootsnoot - 2016-02-04 01:58:11 - In reply to message 2 from Manuel LemosThanks for your speedy reply, Manuel! Interesting how the RFC gets ignored.
For forcing logout with specific providers, I came across http://stackoverflow.com/questions/17050575/logout-link-with-return-url-oauth
But what I actually want to do for my use case is to force the user to enter their credentials to the OAuth provider, regardless of whether the browser already has an authenticated session with that provider. For that I found http://stackoverflow.com/questions/14780076/facebook-oauth-auth-type-reauthenticate-not-working-for-certain-users
So facebook apparently defines a parameter to do exactly what I'm looking for, but it only works "sometimes". What a nightmare. That's why it never ceases to amaze me that you got so many providers actually working reliably for the basics!
Manuel Lemos - 2016-02-04 03:25:23 - In reply to message 3 from sootsnootOK, I just added the reauthenticate option so it forces reauthentication when the token is not valid, at least for Facebook.
You need to call ResetAccessToken first to make the current token be discarded.
It may be possible to support other servers, but for now just let me know if this works well for you with Facebook.
|
