how to detect after FB authentication and before FB authorization

Question

In my MVC application, I have below code in JQuery to check if user is connected to Facebook app or not

FB.login(function (response) {
    switch (response.status) {
        case "connected":
        case "unknown":
            break;
    }

}, { scope: "@MyPermissions" });

Now, when I do FB login through my app, it authenticates and immediately starts FB app authorization and finally it comes to Connected case, when authorization is done.

My Question is : Can I detect when Facebook authentication in done and before authorization starts ? So that my debugger can catch the position before authorization takes place. I have to actually avoid the authorization.

Answer 1

Actually oAuth is two steps authorization you cannot stop it at authentication.

You can do a trick, Usually people are at already login to facebook therefore you can try getLoginStatus() on first load which will sure surely return you not_authorized as it has not yet authorize your app, You can perform your check their and then get user authorize.

FB.getLoginStatus(function(response) {
  if (response.status === 'not_authorized') {
    // the user is logged in to Facebook, 
    // but has not authenticated your app


  } else {
    // the user isn't logged in to Facebook.
  }
 });

Answer 2

EDIT: is this what you what? Facebook account delink or deauthorize facebook app and check status of linking from facebook app

Otherwise

Firstly Facebook login and app auth are inseparable for security reasons. Being logged into Facebook and being logged into Facebook through an app are different. To login using Facebook from an external site you are actually logging in through an app that requires the user to allow the app to access certain parts of their profile.

So when a user clicks login. First they will be asked to login to Facebook if they are not already. You can check this before login using FB.getLoginStatus https://developers.facebook.com/docs/reference/javascript/FB.getLoginStatus/

Once the user is logged into Facebook they will have to authenticate your app for you to gain access to their info. This info is also available using FB.getLoginStatus

What you need tough is an accessToken to make calls to the api with. The fb js sdk stores this internally when you run the login dialog. So if you don't login using it. The api calls will fail unless you build them yourself.

Based on the information give, I am assuming you want to avoid showing the logging / auth dialog every time a previously logged in user visits the page. This is the only situation I can think of that you might what to avoid showing the dialogs.

In this case you can use cookies and access tokens to keep a logged in state across page visit.

Use a cookie to store the accessToken locally after the first login. Then code your login logic to check for and validate the token on load or login.

This way returning to the site wont launch the login / auth dialog unless the accessToekn session runs out, but will just change the user state to logged in. Then using your access token build your graph api calls.

I use https://graph.facebook.com/oauth/access_token_info with parameter client_id: APPID, access_token: token to validate the token.

If the token is valid The the session is good, the user is logged in and has authorized the app. If this fails, the cookie is deleted and i kick of the login dialog.

There are a few more cases where you should delete the cookie, like authResponseChange or log out.

On that note; I believe what you want for post authorization is to subscribe to the authResponseChange event https://developers.facebook.com/docs/facebook-login/login-flow-for-web/. Here is a gutted implementation:

FB.Event.subscribe('auth.authResponseChange', function(response) {
  if (response.authResponse) {
      if (response.status === 'connected') {
           // User logged in and User has authorized the app
      } 
      else if (response.status === 'not_authorized') {
           // User logged in but has not authorized app    
      }
      else {
          // User logged out                    
      }
  } else {
     // No valid authResponse found, user logged out or should be logged out             
  }
});

There is more doco here https://developers.facebook.com/docs/reference/javascript/FB.Event.subscribe/

And there are other events that you may be able to take advantage of

auth.login - fired when the auth status changes from unknown to connected

auth.authResponseChange - fired when the authResponse changes

auth.statusChange - fired when the status changes (see FB.getLoginStatus for additional information on what this means)

Answer 3

I haven't tried this for myself but a look through the FB.getLoginStatus page in the documentation suggests the following.

FB.getLoginStatus

FB.getLoginStatus allows you to determine if a user is logged in to Facebook and has authenticated your app. There are three possible states for a user:

1. the user is logged into Facebook and has authenticated your application (connected)
2. the user is logged into Facebook but has not authenticated your application (not_authorized)
3. the user is not logged into Facebook at this time and so we don't know if they've authenticated your application or not (unknown)

If I understand your question correctly, you may check the status for a case being not_authorized which will allow you to break out, in case the user is indeed logged in but has not authorized your application yet.

Make sure you place this case above the connected case though.

Also, this should work even though you're using FB.login instead of FB.getLoginStatus since according to the following quote from the same page,

The response object returned to all these events is the same as the response from FB.getLoginStatus, FB.login or FB.logout. This response object contains:

status The status of the User. One of connected, not_authorized or unknown.

authResponse The authResponse object.

the returned object is the same.