Facebook logout doesn't work, user isn't prompted for login

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Deploy Grails app given in 
https://code.google.com/p/socialauth/wiki/GettingStartedWithGrails
2. Try to login via Facebook, app will render user details and friend's list 
after Facebook authentication.
3. Go to home page of app.
4. Click on logout link given under Facebook icon. 

What is the expected output? What do you see instead?

Once logout is successful and user click on login link again, then user should 
be prompted for login page. Looks like Facebook authenticated session is still 
there, and causing the application to not prompt for authentication.

Please refer to existing issue which was supposdly fixed, but not truely 
https://code.google.com/p/socialauth/issues/detail?id=21&can=1&q=logout&colspec=
ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary%20Modified

What version of the product are you using? On what operating system?
Windows 7, socialauth 4.2 and socialauth-filter 2.4

Original issue reported on code.google.com by manish.k...@ihg.com on 8 Jul 2013 at 4:40

[GoogleCodeExporter]

Please also refer to 
https://code.google.com/p/socialauth/issues/detail?id=259&can=1&q=logout&sort=mo
dified&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary%20Mod
ified 

The problem here is that suppose a user accessed my website giving his
facebook credentials and login to my web application
now if suppose some other user access the website again and use signup
using his facebook it should prompt him to the access page again .but
currently it simply login to the application using the old user login
,which is a big security risk .

Original comment by manish.k...@ihg.com on 8 Jul 2013 at 4:45

[GoogleCodeExporter]

Calling disconnectProvider() of SocialAuthManager only disconnect the provider 
from manager. It 'll not disconnect the Facebook session. And also please make 
sure you are clearing your session too after calling disconnect if you want to 
make user logout from your application.

If other user uses the application from same machine with same browser in that 
case Facebook session will be available in that browser so he'll be login with 
the previous user account.

Original comment by tarun.na...@3pillarglobal.com on 11 Jul 2013 at 2:21

[GoogleCodeExporter]

Hi Manish

I hope it is clear to you. Please open a new issue if you have any other query 
regarding this.

Regards
Tarun

Original comment by tarun.na...@3pillarglobal.com on 23 Jul 2013 at 11:51

• Changed state: Done

[GoogleCodeExporter]

Hi Tarun,

I am also facing the same issue. Once we are logging into facebook in one 
browser, we are not able to logout. I think facebook is maintaining session 
with browser that making the problem.

Please respond if an issue is reported or i need to open one.

Original comment by narsi.na...@gmail.com on 2 Nov 2013 at 3:00

[GoogleCodeExporter]

Can you please read the comment#2 carefully.
SocialAuth only provide logout functionality from socialauth manager not from 
the provider itself.

Original comment by tarun.na...@3pillarglobal.com on 5 Nov 2013 at 5:17

[GoogleCodeExporter]

Narsi...

Given below is grails code snippet which I use to logout from Facebook as well. 
As Tarun said, SocialAuth API doesn't provide a way to logout from facebook, 
and you will have to explicitly call facebook(redirect) to logout.

Given below code will give you an idea how it be done.

        // Remove the social authentication provider
        SASFHelper helper = SASFStaticHelper.getHelper(getHttpRequest())
        if(helper != null) {
            SocialAuthManager socialAuthManager = helper.getAuthManager()
            if(socialAuthManager != null){
                socialAuthManager.disconnectProvider(socialAuthManager.currentProviderId)
            }
        }

        // Redirect user to social providers(e.g. facebook) for logout from their systems as well.
        def logoutUrl = "https://www.facebook.com/logout.php?next=http://your_website.com&access_token=" + user.accessToken 
        def user = session.getAttribute('user')
        // Make sure "your_website.com" is the same domain which you registered with facebook to generate key and secret
        // Remove the user data from session.
        session.user = null
        redirect(url: logoutUrl)

        // NOTE - Use your own way to get access token. Given below is example on how I store access token in user object at the time of facebook login
        user.accessToken = sasHelper.getProvider().getAccessGrant().getKey()

Original comment by manish.k...@ihg.com on 5 Nov 2013 at 5:35

[GoogleCodeExporter]

Also, certain lines might not be needed for you(e.g clear the session) - I just 
copied the code. 

Also, you can get the access token from SASFHelper helper = 
SASFStaticHelper.getHelper(getHttpRequest()) itself, no need to store access 
token in session etc.

Original comment by manish.k...@ihg.com on 5 Nov 2013 at 5:37