Search code examples
androidfacebookfacebook-authentication

Is there a way to log out via Facebook api on Android IF you have the Facebook app?


I'm using Facebook's Android API and everything works as expected with one exception. When I leave the Facebook app installed on the device (this is the stand-alone app, that has nothing to do with either the API or my app), and I call logout() on my Facebook object, it correctly voids the Facebook object but the next time I fire up the object it goes and retrieves the login data from the Facebook app and the login persists.

If I don't have the Facebook app installed on the device, everything works perfectly.

I'm curious if there's some mechanism I'm overlooking for forcing the Facebook app to not hold onto the login, or am I stuck having to tell my client (this is a custom app for a client, never going to market) that when they run this they will have to make sure to uninstall the Facebook app from the devices that they're running this on?


Solution

  • When you say the Facebook Android API, do you mean the Facebook Android SDK?

    If so, when you call authorize, you have the option of specifying whether that is a single sign on (SSO) or a OAuth 2.0 dialog authorization. The default is SSO. If you authorize with SSO, and the Facebook app is present and logged in, then the authorize succeeds without going anywhere near the Facebook server.

    If you do not use SSO, and use OAuth 2.0 dialog authorization, the user initially sees a login dialog plus an app authorization dialog, and after a successful login/authorization, the SDK keeps hold of an access token for subsequent authorizes.

    Unfortunately, the SDK logout does not take account of SSO. It does a OAuth 2.0 expiresession and clears the access token, but it does not tell the Facebook app that the user has logged out. So that means when you do the next authorize (assuming it is an SSO) the Facebook app is still logged in, then the authorize succeeds without going anywhere near the Facebook server.

    One way forward would be to not use SSO and require a OAuth 2.0 dialog authorization (using authorize(FORCE_DIALOG_AUTH)). That would require the user to login even if the Facebook app is present and logged in, but it would prevent the login persisting.