Facebook Logout: Users changing passwords and invalid access_tokens

Solar2D General Questions/Discussion
#1

Hello,

I’m running into an issue with the Facebook login/logout that I’m hoping someone can point me in the right direction with.  For reference, I’m running Version 2014.2189.

I have an issue where calling facebook.logout() does not seem to clear the stored access_tokens for a user’s Facebook account, and so these are invalidated when the user changes their account login and then attempts to use Facebook in my application.  Here’s the steps for how I re-produce this issue:

  1. User is logged into their Facebook account via Settings -> Facebook on their iOS Device.  This is only an issue if users are using their Facebook account in the Settings -> Facebook tab of the device, if users are logged out here and are just using the Facebook mobile app or safari to authenticate them, this never seems to occur and resets correctly.
  2. Have user change password for their account on Facebook, but don’t update it in the Settings -> Facebook tab on their device.
  3. Launch game - Attempt to call facebook.login() to sign the user into Facebook.
  4. Receive the following response when the user attempts to login: {“error”:{“message”:“Error validating Access Token.  The session has been invalidated because the user has changed the password.”,“type”:“OAuthException”,“error_subcode”:460,“code”:190}}
  5. Upon receive this response, I call facebook.logout() followed by facebook.login() to attempt to flush the current access_token and force them to sign in again with their updated credentials.  However, I keep continually getting the error received in step #4.
  6. The user must manually go to Settings -> Facebook on their iOS Device outside of the application and enter their new password, or logout/login with their new account username and password.
  7. After manually logging back in via Settings -> Facebook on their iOS Device, calling facebook.login() within the application works again.

I can detect these sorts of errors and tell users to go update their Facebook username/password in the Settings -> Facebook tab on their device, but I’d rather not have to tell users to take this step manually when it seems like the access_token should be flushed when I call facebook.logout() in my app.

Is there any other way to successfully destroy the previous access_token for a Facebook user and have them login with their account credentials again?  As stated before, this process seems to work fine if you are using the Facebook mobile app or Safari to authenticate their login, but there’s not much I can do about that if they are signed into their Facebook account under Settings -> Facebook, as it will default to the account they have tied to their mobile device.

Any advice would be greatly appreciated.

Thanks!

#2

Bumping this up - I’ve been researching this in the meantime and still haven’t found a solution to the above issue.  Any ideas?

#3

Bumping this up one more time, hoping to find a solution as I haven’t had any luck looking around other sources.  

#4

I believe that the new Facebook SDK for iOS changes how logins work, which is:  1. Use the iOS internal login first.  2. Use the installed native.app second.  3. Only use the web browser if 1 and 2 are not available.  They really don’t want people using the web based authentication.

If they have used the iOS internal login, then the SDK is going to continue to try and use it.  I think this is pretty much out of our hands.  Sometime a while back (build 2126) we changed iOS to clear the access token.  Here is the check-in message:

iOS: When facebook.logout is called it will now clear the cached token.

So we should be clearing the token. 

If you can detect this login error, your only choice may be to alert people that they need to login through the settings app.  I can ask the engineers to look at this, but they are going to want a test case that has the problem.

Rob

#5

Hi Rob,

Thanks for the response.  I’m seeing what you describe, which is if users are signed into Facebook on their device in Settings, this is always used first.  If users are not logged in on the device, it attempts to use the native Facebook app, and only using the web to authenticate if neither of those options are available.

When we call facebook.logout(), it seems to work as intended for the native app and web authentication.  However, the only issue we’re experiencing is when users are logged into the Settings -> Facebook tab on the device and walk through the steps I’ve outlined above.

I’m currently running build 2189 and have re-tested on that build, but I still see the same issues when the users are logged into Facebook on the device.  Currently we are detecting if there are errors and are just throwing the error returned, so we could prompt users to go update their passwords if necessary, but I was hoping there’d be another way of handling that from within the app so we don’t force users to leave the app to correct the issue.

As far as a test case goes - I could provide a copy of my application since I can currently replicate this issue in my environment.  I follow the steps I posted in my first message to get this to occur, so if the instructions and application would be beneficial, I can pass those along.  What would be the best way for me to get those over?

Thanks!

#6

I would file a bug report using the “Report a bug” feature at the top.  There may be limited abilities to do anything about this.

Rob

#7

Done, I submitted a bug request outlining what I’ve seen so far and how to reproduce.  I did a test in the sample Facebook code that is available under CoronaSDK/SampleCode/Networking/Facebook with the issues I’ve outlined above and was able to produce the same results that we’re seeing in our project.

#8

Bumping this up - I’ve been researching this in the meantime and still haven’t found a solution to the above issue.  Any ideas?

#9

Bumping this up one more time, hoping to find a solution as I haven’t had any luck looking around other sources.  

#10

I believe that the new Facebook SDK for iOS changes how logins work, which is:  1. Use the iOS internal login first.  2. Use the installed native.app second.  3. Only use the web browser if 1 and 2 are not available.  They really don’t want people using the web based authentication.

If they have used the iOS internal login, then the SDK is going to continue to try and use it.  I think this is pretty much out of our hands.  Sometime a while back (build 2126) we changed iOS to clear the access token.  Here is the check-in message:

iOS: When facebook.logout is called it will now clear the cached token.

So we should be clearing the token. 

If you can detect this login error, your only choice may be to alert people that they need to login through the settings app.  I can ask the engineers to look at this, but they are going to want a test case that has the problem.

Rob

#11

Hi Rob,

Thanks for the response.  I’m seeing what you describe, which is if users are signed into Facebook on their device in Settings, this is always used first.  If users are not logged in on the device, it attempts to use the native Facebook app, and only using the web to authenticate if neither of those options are available.

When we call facebook.logout(), it seems to work as intended for the native app and web authentication.  However, the only issue we’re experiencing is when users are logged into the Settings -> Facebook tab on the device and walk through the steps I’ve outlined above.

I’m currently running build 2189 and have re-tested on that build, but I still see the same issues when the users are logged into Facebook on the device.  Currently we are detecting if there are errors and are just throwing the error returned, so we could prompt users to go update their passwords if necessary, but I was hoping there’d be another way of handling that from within the app so we don’t force users to leave the app to correct the issue.

As far as a test case goes - I could provide a copy of my application since I can currently replicate this issue in my environment.  I follow the steps I posted in my first message to get this to occur, so if the instructions and application would be beneficial, I can pass those along.  What would be the best way for me to get those over?

Thanks!

#12

I would file a bug report using the “Report a bug” feature at the top.  There may be limited abilities to do anything about this.

Rob

#13

Done, I submitted a bug request outlining what I’ve seen so far and how to reproduce.  I did a test in the sample Facebook code that is available under CoronaSDK/SampleCode/Networking/Facebook with the issues I’ve outlined above and was able to produce the same results that we’re seeing in our project.

#14

Hi, I’m Chris. I almost done with my 1st app, the only problem is the Facebook login. Sometimes it works and sometimes it doesn’t. The error I get is exactly what’s mentioned in this topic. I just used the sample code provided in the documentation. I’d really like to reproduce the error, but I couldn’t trace it. Sometimes it works and sometimes it does not. When it works, it works continuously, and oh I did try to erase app permission from the account I used to test so I can test the app from the very beginning, so I’ll have the app ask permission again, then it says {“error”:{“message”:“Error validating Access Token.  The session has been invalidated because the user has changed the password.”,“type”:“OAuthException”,“error_subcode”:460,“code”:190}}. Even if I use facebook.logout(), it still does not fix the issue. I really don’t get it why this is a hit and miss issue. Can anybody please give me tips on this? This has been my issue for 2 weeks now and as much as possible I really don’t like to post questions unless my hair is almost out, and yes, my hair is almost out. Thank you very much.

#15

What version of Corona SDK are you building with?

Is this happening on iOS or Android.

#16

Hi Sir, I am using 2014.2393. I found out a workaround for this last night, but I am hoping for a more convenient solution. So when I allow the permission the first time, it works. But when I revoke the permission so my app would ask the permissions again, it says "“Error validating Access Token”. When this happens I need to clear cache under the app settings and it works again. If I don’t, even if I logout or relogin, nothing works. This solution also clears my saved data score, so it’s kind of not a good solution. I am testing my app on an Android device. Thank you Sir.

#17

Hey chris,

I’ve found today that I’m getting the same problem. The first time I connect Facebook, allow the permissions and save the facebook token in local, then, remove (unlink) the app on the Facebook applications, then I restart and call the graph api of facebook to know if the token is already available. It returns an error (of course), then I call the facebook.login() function and it returns me a success login, but the returned token is the previous one, before I’ve unlinked the app.

The thing is that if I call after that the facebook.logout() function and then call again the facebook.login() it will works like the first time. But I want a more convenient solution.

Did you find something else Chris?

#18

Hi Mangoo Games, Unfortunately, no, I have not found any other solution for this. The only way for Facebook to work again is to erase app data. I’ve read so many articles that say just to logout and it should work, but it just does not work :frowning:

#19

Yeah, for me, if I logout it erase my cached token and then in the next login it will works. But the problem is that if I restart the app I’ve no more the facebook log in so I can’t logout immediately. I have to login, to know that the token is wrong, logout and then login again.

Have you seen this page ? http://forums.coronalabs.com/topic/42051-does-facebooklogout-actually-do-anything/

#20

Hi, I’m Chris. I almost done with my 1st app, the only problem is the Facebook login. Sometimes it works and sometimes it doesn’t. The error I get is exactly what’s mentioned in this topic. I just used the sample code provided in the documentation. I’d really like to reproduce the error, but I couldn’t trace it. Sometimes it works and sometimes it does not. When it works, it works continuously, and oh I did try to erase app permission from the account I used to test so I can test the app from the very beginning, so I’ll have the app ask permission again, then it says {“error”:{“message”:“Error validating Access Token.  The session has been invalidated because the user has changed the password.”,“type”:“OAuthException”,“error_subcode”:460,“code”:190}}. Even if I use facebook.logout(), it still does not fix the issue. I really don’t get it why this is a hit and miss issue. Can anybody please give me tips on this? This has been my issue for 2 weeks now and as much as possible I really don’t like to post questions unless my hair is almost out, and yes, my hair is almost out. Thank you very much.