So just a quick run down of what I'm working on. I've developed an OAuth library using Google and Facebook to integrate into our company software. Our stack consist of the latest version of Lucee (Coldfusion), so a lot of the authentication was done so manually following their documentation. Although I do use each SDK so that I only have to worry about authenticating the returned tokens server side.
However in regards to Facebook, when a user is already logged in to FB elsewhere, they are already in an authorize state when the SDK gets initialized on page load. Whenever I choose to 'Continue With Facebook', edit permissions and deny email permission, I then return back to the user stating as to why we need their email, and provide a button to restart the login flow re-requesting email permission, or just stopping all together.
Though when I choose to add email permission, using auth_type: 'rerequest' I get the following error.
You are overriding current access token, that means some other app is expecting different access token and you will probably break things. Please consider passing access_token directly to API parameters instead of overriding the global settings.
I understand what the error is stating, and why, but I can not figure out how to resolve the issue? From all of the research I've found, everywhere states to pass the access token to the API but all the examples are doing so using a URL endpoint using href rather than the SDK login function. Is this something that can be done via their SDK?
Here's what my FB.login() function looks like:
if( FB.getAccessToken() ) {
var authType = 'rerequest';
} else {
var authType = 'reauthorize';
}
FB.login(function(response) {
// Check to see if user logged in to grant us permission
if(response.authResponse && response.authResponse.grantedScopes) {
let isConnected = response.status === 'connected';
let grantedScopes = response.authResponse.grantedScopes.search('email') !== -1;
// Need user permission to access email
if(isConnected && grantedScopes) {
FacebookAuth.updateSigninStatus();
} else {
// Re-ask for email permission
alertUserError(false, 'Facebook');
}
}
}, {
auth_type: authType,
scope: 'email',
return_scopes: true,
access_token: FB.getAccessToken() // Trying to pass current access_token here, but FB.login() generates new token
});
Took another look at the Facebook Documentation and decided to go the route of storing the access token once is created to verify the user server side. Rather than using the Facebook SDK to do so, which doesn't repeat the login process, creating a new access token, and generating that error.
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#token