Facebook Oauth Logout?

I am having the same problem. I also login using oauth (I am using RubyOnRails), but logout, I do with Javascript using a link like this.

Up vote 31 down vote favorite 23 share g+ share fb share tw.

I have an application that integrates with Facebook using Oauth 2. I can authorize with FB and query their REST and Graph APIs perfectly well, but when I authorize an active browser session is created with FB. I can then log-out of my application just fine, but the session with FB persists, so if anyone else uses the browser they will see the previous users FB account (unless the previous user manually logs out of FB also).

The steps I take to authorize are: Call LINK: graph.facebook.com/oauth/authorize?clien...... This step opens a Facebook login/connect window if the user's browser doesn't already have an active FB session. Once they log-in to facebook they redirect to my site with a code I can exchange for an oauth token. Call LINK: graph.facebook.com/oauth/access_token?cl..... with the code from (1) Now I have an Oauth Token, and the user's browser is logged into my site, and into FB.

I call a bunch of APIs to do stuff: i.e. LINK: graph.facebook.com/me?access_token=.. Lets say my user wants to log out of my site. The FB terms and conditions demand that I perform Single Sign Off, so when the user logs out of my site, they also are logged out of Facebook.

There are arguments that this is a bit daft, but I'm happy to comply if there is any way of actually achieving that. I have seen suggestions that: A. I use the Javascript API to logout: FB.Connect.logout().

Well I tried using that, but it didn't work, and I'm not sure exactly how it could, as I don't use the Javascript API in any way on my site. The session isn't maintained or created by the Javascript API so I'm not sure how it's supposed to expire it either. B.

Use LINK: facebook.com/logout.php. This was suggested by an admin in the Facebook forums some time ago. The example given related to the old way of getting FB sessions (non-oauth) so I don't think I can apply it in my case.

C. Use the old REST api expireSession or revokeAuthorization. I tried both of these and while they do expire the Oauth token they don't invalidate the session that the browser is currently using so it has no effect, the user is not logged out of Facebook.

I'm really at a bit of a loose end, the Facebook documentation is patchy, ambiguous and pretty poor. The support on the forums is non-existant, at the moment I can't even log in to the facebook forum, and aside from that, their own FB Connect integration doesn't even work on the forum itself. Doesn't inspire much confidence.

Ta for any help you can offer. Derek ps. Had to change HTTPS to LINK, not enough karma to post links which is probably fair enough.

Facebook oauth logout link|improve this question asked May 4 '10 at 10:22Derek Troy-West6871410.

1 Sean's got a point, which you should listen to, because he's got more reputation than you, and that makes him right. If i'm logged into Facebook, then I come to your site, use it (or perhaps just decide to leave in abject disappointment), then log out, i'd be surprised and perhaps even a little outraged if I found i'd been logged out of Facebook too. If the UI made it clear that would happen, fine, but if it's just a button in the top-right corner of the page that says "Logout", maybe with a facebook logo kind of floating nearby, that's fairly surprising.

Surprise is not a feature of good UI. – Tom Anderson Jan 10 '11 at 17:02 4 @Tom: developers.facebook.com/policy Line #6. – Mike Purcell Sep 21 '11 at 21:07 @DigitalPrecision: An excellent link, which goes to show that not even Facebook can get this right.

– Tom Anderson Sep 21 '11 at 23:27 1 Agreed. We had to jump through hoops to get it to work within our application. Docs are horrid.

– Mike Purcell Sep 29 '11 at 17:37.

I am having the same problem. I also login using oauth (I am using RubyOnRails), but logout, I do with Javascript using a link like this: Logout this first calls the onclick function and performs a logout on facebook, and then the normal /logout function of my site is called. Though I would prefer a serverside solution as well, but at least it does what I want, it logs me out on both sites.

I am also quite new to the Facebook integration stuff and played around the first time with it, but my general feeling is that the documentation is pretty spread all over the place with lots of outdated stuff. Anyway, maybe that helps you. Ciao Christoph.

Thanks Christoph! I've tried that and it does indeed work. I had previously been trying to use FB.Connect.

Logout and FB.Connect. LogoutAndRedirect, which I think are from an older version of the API. As you say the documentation if pretty fragmented.

Just to add - prior to calling FB. Logout I had to call FB. Init as documented on the FB Javascript API page.

Thanks for your help. – Derek Troy-West May 10 '10 at 10:58 Just up update, this solution doesn't work in Chrome (5.0.375 at least) on a mac. The user isn't logged out of FB, works fine in Safari and Firefox though.. – Derek Troy-West Jul 15 '10 at 23:44 My logout page had to do some FB login checking.

The FB.logout() onclick did not complete fast enough before the redirection. I had to delay the redirection to ensure FB.logout() completes successfully first. – bcm Dec 1 '11 at 23:27.

This solution no longer works with FaceBook's current API (seems it was unintended to begin with) "yoursitename.com"" rel="nofollow">m.facebook.com/logout.php?confirm=1&next...; try to give this link on you signout link or button where "yoursitename.com" is where you want to redirect back after signout may be your home page. It works..

Sumit, thank-you. That works perfectly. I'm not entirely sure why the mobile version of facebook lets you log-out like that while the other doesn't but I don't care.

It's better than the jscript hack I'm using at the moment, and easier than the main facebook logout + session key described around here as well. – Derek Troy-West Jul 29 '10 at 10:52 4 But what if the user doesn't want their facebook session to be destroyed? What if they were already logged into face book, then log into your site, then log out of your site, then go back to facebook and don't understand why they've just been logged out?

This doesn't seem like the perfect solution... – Sean Sep 3 '10 at 14:24 1 When this question was asked a few months ago, single sign out was a requirement of the facebook terms and conditions. I'm not sure if it still is, and I don't disagree with you, but at the time it was required. – Derek Troy-West Feb 7 '11 at 14:30 11 Unfortunately it seems that it no longer works!

– Tomasz Zielinski May 6 '11 at 12:38 yes, this no longer seems to work – Matty Jul 18 '11 at 19:40.

Here is a full blown walk-through of how to authenticate via the oAuth protocol and log out via a Redirect/Facebook Javascript SDK. For your particular problem: There are two ways you can log out: Log out via Javascript SDK Log out via a Redirect to Facebook Logging Out with the Javascript Facebook SDK Since this is Javascript based, an html page that immediately executes the following: This is what the view code will look like (it's very....hackish...unfortunately...but each piece of html is needed....maybe one day Facebook will stream line this...): Logging you out of Facebook.... Logging Out of Facebook Using a Redirect Alternately (if you don't like the Javascript approach). You can log out of Facebook by redirecting to their logout.

Php page. Please keep in mind that this approach isn't documented. I used Fiddler2 to see how the Javascript SDK did it's log out magic....so just keep in mind that Facebook can change this anytime without prior notice.

To log out, just redirect to logout. Php with your Api Key and the Original Session Key when you authenticated via the oAuth protocol...the session code/key...not the Graph API Access Token: "http://www.facebook.com/logout.php?api_key={0}&;session_key={1}.

3 You can also add a parameter called "next" to the logout url when using the redirect method. The value of this parameter should be the url of the page that the user will be redirected to after the logout at Facebook. – Anders Fjeldstad Jul 16 '10 at 11:08 Thanks Amir, great answer.

I hadn't realised that the code you recieve as a part of the oauth handshake was actually the session key. – Derek Troy-West Jul 21 '10 at 13:09 1 OP said he was not using the FB JavaScript SDK. – Sean Sep 3 '10 at 14:25 I'm not having any luck with the logout.

Php redirect. I'm definitely passing in my correct api_key & the code parameter from the OAuth handshake. I just get redirected to facebook root with my login in tack.

Anyone else got this working? Have facebook changed the rules? – russau Feb 2 at 12:51 1 @amir I turnd on fiddler and did a javascript logout (as you did above), and the query string now appears to be in this format: facebook.com/logout.php?access_token=... &api_key=... &app_id=... &display=hidden &locale=en_US &next=... &sdk=joey - haven't experimented to see which parameters are necessary – russau Feb 5 at 3:20.

You can do this with the access_token: $access_array = split("\|", $access_token); $session_key = $access_array1; You can use that $session key in the PHP SDK to generate a functional logout URL. $logoutUrl = $facebook->getLogoutUrl(array('next' => $logoutUrl, 'session_key' => $session_key)); This ends the browser's facebook session.

You don't need to work with token manually due to $facebook already has it. – zerkms May 31 '10 at 12:06 Could you explain what you mean in more detail? This method is the only one I've found to log the user out and end the FB session without using javascript – Zach Greenberger May 31 '10 at 13:12 2 Bob, here's the structure of the logout URL: facebook.com/…; Where session_key is the middle part of the access token as I described above.

– Zach Greenberger May 31 '10 at 13:15 As @Amir pointed out, the session key is the same as the "code" you received from Facebook during the inintial OAuth authorization. Better to use that one than to try to parse the access token (since the format of the token could change). – Anders Fjeldstad May 31 '10 at 11:10 Using the same method Zach used.

Here is how to do a complete logout in RoR + Devise + Omniauth github.com/intridea/omniauth/wiki/… – Dex May 31 '10 at 9:43.

This works as of now - and is documented on facebook's site @ developers.facebook.com/docs/authenticat.... Not sure how recently it was added to the documentation, pretty sure it wasn't there when I checked Feb-2012 You can programmatically log the user our of Facebook by redirecting the user to facebook.com/logout.php?next=YOUR_REDIRE....

For Python developers that want to log user out straight from the backend At the moment I'm writing this, the trick with m.facebook.com no longer works (at least for me) and user is redirected to the mobile FB login page which obviously is not good for UX. Fortunately, FB PHP SDK has a semi-documented solution (in case the link doesn't lead to getLogoutUrl() function, just search look for it on that page). This is also mentioned in at least one other on StackOverflow: Facebook php SDK getLogoutUrl() problem.

BTW I've just noticed that Zach Greenberg got it right in this question, but I'm adding my answer as a summary for Python developers.

The mobile solution suggested by Sumit works perfectly for AS3 Air: html. Location = "m.facebook.com/logout.php?confirm=1&next....

A note for Christoph's answer: Facebook Oauth Logout The logout function requires a callback function to be specified and will fail without it, at least on Firefox. Chrome works without the callback. FB.

Logout(function(response) {}).

For me, setting the domain while constructing the facebook object solved the issue of logout along with $facebook->setSession(null).

Doesn't work. The method apparently is not even supported. – Akshar Prabhu Desai Mar 10 at 16:09.

It's simple just type : $facebook->setSession(null); for logout.

This solution no longer works with FaceBook's current API (seems it was unintended to begin with).

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.