I fasten authorization through social. network and I can not understand whether it is possible to determine that the user has already logged out of the account through which logged in.

Well, that is, I went to the site, for example, through Facebook. Going to leave the company, - logged in on Facebook. Can the site understand this: let it not catch the very moment of login, but the fact that when it is accessed, there is no Facebook user anymore?

  • If at the entrance through the social. you will not save the network on the site itself, for example, cookies that the user has logged in, and each time you request status via oauth, then, of course, you will find out if the user has logged out or not. - Gino Pane
  • I understand correctly that every time there will be a dialogue with this social network? quietly she will not confirm? - splash58
  • Depends on what you use. If everything is implemented manually, a request is sent to php to oauth social. network. If the user is logged in, then the user id, token, etc. will come back. If you are not logged in, then another status will return and, most likely, a link where you need to go to login. And then it depends on you what to do with this link and information. If you want to call the login dialog, you redirect to the link, if you don’t want to, you can ignore it and follow other necessary logic. - Gino Pane
  • that's good, thanks. I will dig in this direction. Since I use the library for my authorization, and not an external service, then maybe it will work out. If you want, write as an answer, it prompted me the course of action, so I will mark it as correct :) - splash58
  • Yes, not worth it, I think. Sorry, it was a little inaccurate: it is more correct to use specific methods from the sites used for testing. For example, for Twitter there is an API method verify_credentials , where you can send previously saved user data and check the login status, for Wargaming API - /wot/auth/prolongate/ , well, etc. Everything is individual. And, as D-side noted in his answer, it is often impractical to do such checks. So decide if you really need it. - Gino Pane

1 answer 1

As a rule, can not .

Such authentication is based on the authorization by the user of access to his identification data from a third-party source (we will call it a social network ) . And the fact of such authentication informs the site (the OAuth2 client) only that "on the social network X (provider OAuth2) this user has the identifier Y" , from which, say, the site can conclude that "we have a user with the identifier Z, we will consider it as such " (if earlier user Z on the same site indicated that it can be recognized by the XY pair, this is the so-called" link to the social network account ").

In typical authentication systems, such a user is given a session certifying him as Z on the site, and this session exists until it is no longer valid for the site (not the social network!):

  • ... when explicitly destroying ("Exiting" from the site or recalling sessions by the server for external reasons)
  • ... by time (the duration of sessions is usually limited)

OAuth2 is to transfer the token from the social network (through the browser ) to the site . After the transfer took place, the social network and the site interact directly and do not think about the browser .

If a person on this computer leaves the social network account , then only the social network browser connection will “break”. The site does not participate in it, and it will know about this fact only if it again explicitly asks, again initiating an OAuth2 login. Which through communication the browser-social network will try to “establish identity” and will receive a refusal, since there is no more such connection in this browser. But for this to happen, you will have to drive the user every time through the entire OAuth2 procedure, considering that the identity from the social network is really only one request. It will be approximately as if after any request the user pressed "Logout". Not very practical.

The situation is slightly different if the user withdraws the application's access to its data from the social network interface . Then the direct connection of the social network site should cease to function, which the server can learn and disable the session. But the social network, again, is not obliged to report this (according to OAuth2), and in this case the site will have to constantly poll the social network ( have we already arrived, can I still have the data?), Which is also not very practical.

  • Thank. I understood something like this, but you added some clarity to me. - splash58 2:58 pm