Facebook iOS SDK 3.0 Re-Authorisation

Question

I have a few of questions about the new FBSession reauthorisation (reauthorizeWithPermissions: behavior: completionHandler:) in facebook sdk 3.0:

Once someone has logged in via facebook on my app, on certain pages I would like to re-authenticate the user with his/her facebook credentials. This is to ensure that the person who is viewing the page and the person who initialled logged, are the same. The permissions for re-auth remain the same as login. All i need is a re-confirmation of the user's password to ensure this case.

Hence I am using the reauthorisationWithPermissions: to do this. And I am setting the behaviour as FBSessionLoginBehaviorForcingWebView to ensure that the user is forced to enter his/her credentials. However, this does not work at all. It simply pops up a blank webview for a couple of seconds and then disappears... At this point, it calls the FBSesstionStateHandler block with the state set to FBSessionStateOpen, however, fails to call the FBSessionReauthorizeResultHandler defined within the (completionHandler:).

However, if I simply set the behaviour to default (FBSessionLoginBehaviorWithFallbackToWebView) it works fine by passing the request back and forth between facebook app/safari and completes the call by calling the completionHandler correctly. However, with the default behaviour it does not force the user to re-enter his/her password.

So I am really confused, and the sdk docs on the web are not very useful for my case. Could someone please advise me on what I am doing wrong... or weather its a known bug in the SDK ? If so, how can I go about meeting my requirements ?

-(void) reauthThroughFacebook {

if ( !self.facebookSession.isOpen && self.facebookSession.state == FBSessionStateCreatedTokenLoaded) {
    [self.facebookSession openWithBehavior: FBSessionLoginBehaviorWithNoFallbackToWebView 
                         completionHandler: self.stateHandler];
} 

if ( self.facebookSession.isOpen ) {
    [self.facebookSession reauthorizeWithPermissions: self.userPermissions
                                            behavior: FBSessionLoginBehaviorForcingWebView
                                   completionHandler:^(FBSession *session, NSError* error){
                                       if (self.facebookSession == session) {
                                           [self completedReauthWithSuccess:(error == nil) error:error];
                                       }
                                   }];
} else {
    [self completedReauthWithSuccess:NO error:[NSError errorWithDomain: @"No active session found."
                                                                  code: FBErrorInvalid userInfo: nil]];
}

}

Also, once the reauth web view pops up correctly, how do I ensure that the user's email address is auto populated and block the user form changing it ? Can I access the web view within the facebook sdk to set these properties?

Finally, what happens to the access token and expiry date if the re-auth takes place with the same permissions as login ??

Thank you in advance,

Answer 1

This is an interesting question. I haven't coded it so I don't know if this will work but given how FB sessions work, this is my best guess at an approach.

Using one FB session, I don't think you can do this. Within a given session, FB auth is binary, either the user is logged in (i.e. has an open session) or not. The various reauth methods were intended to auth with additional permissions and are now deprecated in favor of methods to request additional permissions.

You may be able to accomplish something close to what you want by supporting multiple FB sessions. The secondary auth would be basically the same as allowing a second FB user to login to your app. You would then close the second session at the appropriate time. You could enforce that both sessions are the same FB user by comparing the FB user IDs.

In the last paragraph of the Understanding Sessions doc, FB discusses supporting multiple sessions.