I'm trying to set up facebook authentication using this login example. Example works but when I log out and try to log in again passport automatically lets me in without giving me an option to change facebook user. Any idea on how to change this behaviour?
By default, if you have already authorized login with Facebook, subsequent requests to authenticate will be automatic and won't prompt the user to authorize again. There are three options to change this behavior:
This is undesirable, since you only want to log the user out of your application and not Facebook entirely.
This is your best bet. To do this, make an HTTP DELETE call to https://graph.facebook.com/me/permissions with a valid Facebook access token. Read more at https://developers.facebook.com/docs/reference/api/user/#permissions.
Facebook supports an auth_type parameter, which will prompt the user to login each time when set to reauthenticate. Read more at https://developers.facebook.com/docs/howtos/login/client-side-re-auth/.
Passport.js does not support passing this parameter out of the box, so you might have to do a little hacking to get it working in your application, or submit a pull request to the passport-facebook GitHub project.
However, you can optionally prompt the user to reauthenticate each time by using a specific parameter. Working but hacky and not-recommended way of doing this below:
FacebookStrategy.prototype.authorizationParams = function (options) {
var params = {},
display = options.display,
auth_type = options.auth_type;
if (display) params['display'] = display;
if (auth_type) params['auth_type'] = auth_type;
return params;
};
passport.use(new FacebookStrategy({
clientID: FACEBOOK_APP_ID,
clientSecret: FACEBOOK_APP_SECRET,
callbackURL: "http://localhost:3000/auth/facebook/callback",
auth_type: "reauthenticate"
},
function(accessToken, refreshToken, profile, done) {
process.nextTick(function () {
return done(null, profile);
});
}
));
The Facebook Passport supports the auth_type, which will redirect the user to sign in again for the OAuth tokens for the app even the users have login on the browser. To enable this re-login behaviour on Facebook, use the following code
passport.authenticate('facebook', {authType: 'reauthenticate', callbackURL:...
You need to logout from facebook too (or remove the application from the list in your settings). Otherwise facebook remembers that the user (you) has accepted to login into your app and returns to the application without asking you anything.