Closed GoogleCodeExporter closed 9 years ago
Can you monitor if your app is removing the provider cookies somehow? Here is
how it works for me.
It authorizes only once per site per provider upon success login. Only if you
changed site, say from your localhost to your actual domain, it will ask you to
authorize again for security reasons.
Original comment by kelvin1...@gmail.com
on 3 Jul 2012 at 2:58
Should the cookie show up under my site url (I'm using Chrome 20, btw)?
Original comment by Matthew....@gmail.com
on 3 Jul 2012 at 3:21
What cookie am I supposed to be looking for? I don't see any created by my
application or by the demo application (Chrome 20, if it matters)?
Original comment by Matthew....@gmail.com
on 11 Jul 2012 at 11:38
Hi Matthew,
Clarity on SocialAuth.NET:
SocialAuth.NET cookies are used for running authentication framework only.
Every provider sets its own cookie which SocialAuth.NET is not aware of (and
shouldn't be). For example, when you request SocialAuth.NET to login with
Facebook, it passes your request to Facebook which has its own login screen and
sets its cookie upon login. It conveys via callback to SocialAuth.NET that user
is now logged in. When user requests login again with same provider, the
process repeats. I.e., SocialAuth.NET again requests provider. However, if
provider finds their cookie they may bypass authentication process and convey
SocialAuth.NET that user is already logged in or show login screen to user or
just permissions grant sccreen. You can not force authentication from a
provider using any mechanism.
I tried to replicate your scenario using Chrome 20 and Google as provider. Upon
login, the screen where Google displays list of requests application is
demanding, there is a checkbox that states like "Remeber Approvals". If I check
it and try re-login, Google automatically bypass authentication and permission
approval process and application logs in user. If I do not check it and attempt
login again, though user wouldn't need to specify credentials but would need to
grant permissions to application. Different providers have different behaviors.
For example, Yahoo almost always needs permissions approval while Facebook
happily logs in user silently. Browsers too have a role in varying behavior
sometimes in context of their cookie expiry behaviors.
To sum up, issue you are facing is not related with SocialAuth.NET or MVC. It
is likely a combination of browser support for cookies, Provider's
authentication framework and finally options selected by user (where
applicable).
However, you might come across sites like TripAdvisor.com, where you'd be
amazed to see the level of information fetched from profile and displayed. They
are paid sponsors and get additional access which are not available in general.
As an advance approach, you might save the authenticated tokens in database and
pass them to login method of socialauth.net as argument. This would force user
to login into application automatically (but wouldn't guarantee that token is
still valid for provider. Ideally, I do not think there is any need to bring in
such complexity and your issue is normal.
Hope it helps :)
I'm closing this issue for now. Please feel absolutely free if my response
doesn't answers your query.
Deepak
Original comment by daggar...@brickred.com
on 14 Jul 2012 at 6:11
[deleted comment]
Hi SocialAuth.NET Team,
Based on my understanding Mathew wants to authorize the application only once,
which in fact is impossible because of the UserLoginEndpoint value specified on
TwitterWrapper.
public override string UserLoginEndpoint { get { return
"https://api.twitter.com/oauth/authorize"; } set { } }
The problem has something to do with the above code. To make the authorization
only once we need to change the value of UserLoginEndpoint to:
public override string UserLoginEndpoint { get { return
"https://twitter.com/oauth/authenticate"; } set { } }
Please refer to app authorization page.jpg currently SocialAuth will redirect
the user to this page when SocialAuthUser.Login() method has been called
whether he authorize the app or not, right?
Please refer to must authorize app again.jpg once he authorized the app and he
tried to login again he will be redirected to the same page but different
content.
Here is the screen cap of the alteration I made to the code edited source.jpg.
And here is the solution I think he wants expected page.jpg
I hope this can help.
Best Regards,
Lawrence
Original comment by lawrence...@gmail.com
on 11 Aug 2012 at 3:57
Attachments:
Original comment by deepak.a...@3pillarglobal.com
on 16 Nov 2012 at 12:35
Thanks lawrence.ivp
You were correct. This issue is fixed in 2.3.1
Deepak
Original comment by deepak.a...@3pillarglobal.com
on 18 Jan 2013 at 9:18
Original issue reported on code.google.com by
Matthew....@gmail.com
on 2 Jul 2012 at 3:02