Facebook API Question posted in
The official documentation for the Facebook APIs can be found here.

How do I keep the user logged-in with Implicit flow? – Facebook api

From what I understand, the end-result of the implicit flow is the access token, which allows the client (in my case a JS SPA) to authenticate into resource servers (APIs).

The access token is usually only valid for ~1 hour, then it expires – making it useless.

What should my JS app do then? Redirecting the user back to the auth server is unrealistic since then the user will have to reenter their credentials every 1 hour!

I also know that the implicit flow doesn’t support refresh tokens so I can’t use those either.

Is there a way to persist the user’s login? How do things like Facebook keep you logged-in indefinitely?

Tags:

2

Answers


  1. 0

    If the session at the OP is still active (via a cookie perhaps), then OpenID Connect has a mechanism to refresh tokens in a (hidden) iframe: prompt=none.

    According to the spec, when sending this flow…

    The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

    prompt=none is also referred to from the Session Management specification.

    Login or Signup to reply.
  2. 0

    Just to clarify, you are asking about the Implicit flow which is detailed in the OAuth 2.0 RFC rather than OpenID Connect which deals more with authentication of a user?

    With the implicit flow you do have to regularly call the authorisation endpoint to obtain a new token, but if the user remains logged into their identity provider then they should not be prompted to resubmit their credentials, and the token will be returned as a hash fragment in the redirect uri, with no user interaction required.

    You can use an AJAX call to get the token on a back-channel so your SPA app user experience is not affected by the need to get new tokens.

    To address the points you highlight in your question:

    The access token is usually only valid for ~1 hour, then it expires –
    making it useless.

    Correct!

    then the user will have to reenter their credentials every 1 hour!

    Not necessarily.

    If the user stays logged into the identity provider (e.g. facebook, google) then there will be a browser cookie between the user and that provider. This effectively means the identity provider does not need the user to re-enter credentials. The authorisation server should be able to return you a token with no interaction required.

    Is there a way to persist the user’s login?

    You can’t control it from your SPA. It’s totally dependent on the user staying logged onto the identity provider. If they stay logged into facebook, google (or whatever IDP you app uses) then you should be able to get tokens non-interactively.

    This article nicely explains how the implicit flow can be implemented.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search