'Facebook Oauth Logout

I have an application that integrates with Facebook using Oauth 2.

I can authorize with FB and query their REST and Graph APIs perfectly well, but when I authorize an active browser session is created with FB. I can then log-out of my application just fine, but the session with FB persists, so if anyone else uses the browser they will see the previous users FB account (unless the previous user manually logs out of FB also).

The steps I take to authorize are:

  1. Call [LINK: graph.facebook.com/oauth/authorize?client_id...]

This step opens a Facebook login/connect window if the user's browser doesn't already have an active FB session. Once they log-in to facebook they redirect to my site with a code I can exchange for an oauth token.

  1. Call [LINK: graph.facebook.com/oauth/access_token?client_id..] with the code from (1)

Now I have an Oauth Token, and the user's browser is logged into my site, and into FB.

  1. I call a bunch of APIs to do stuff: i.e. [LINK: graph.facebook.com/me?access_token=..]

Lets say my user wants to log out of my site. The FB terms and conditions demand that I perform Single Sign Off, so when the user logs out of my site, they also are logged out of Facebook. There are arguments that this is a bit daft, but I'm happy to comply if there is any way of actually achieving that.

I have seen suggestions that:

A. I use the Javascript API to logout: FB.Connect.logout(). Well I tried using that, but it didn't work, and I'm not sure exactly how it could, as I don't use the Javascript API in any way on my site. The session isn't maintained or created by the Javascript API so I'm not sure how it's supposed to expire it either.

B. Use [LINK: facebook.com/logout.php]. This was suggested by an admin in the Facebook forums some time ago. The example given related to the old way of getting FB sessions (non-oauth) so I don't think I can apply it in my case.

C. Use the old REST api expireSession or revokeAuthorization. I tried both of these and while they do expire the Oauth token they don't invalidate the session that the browser is currently using so it has no effect, the user is not logged out of Facebook.

I'm really at a bit of a loose end, the Facebook documentation is patchy, ambiguous and pretty poor. The support on the forums is non-existant, at the moment I can't even log in to the facebook forum, and aside from that, their own FB Connect integration doesn't even work on the forum itself. Doesn't inspire much confidence.

Ta for any help you can offer. Derek

ps. Had to change HTTPS to LINK, not enough karma to post links which is probably fair enough.

facebookoauthlogout


Solution 1:[1]

This works as of now - and is documented on facebook's site @ http://developers.facebook.com/docs/authentication/. Not sure how recently it was added to the documentation, pretty sure it wasn't there when I checked Feb-2012

You can programmatically log the user our of Facebook by redirecting the user to

https://www.facebook.com/logout.php?next=YOUR_REDIRECT_URL&access_token=USER_ACCESS_TOKEN

Solution 2:[2]

This solution no longer works with FaceBook's current API (seems it was unintended to begin with)

http://m.facebook.com/logout.php?confirm=1&next=http://yoursitename.com;

Try to give this link on you signout link or button where "yoursitename.com" is where u want to redirect back after signout may be ur home page.

It works..

Solution 3:[3]

I can programmatically log user out Facebook by redirecting user to

https://www.facebook.com/logout.php?next=YOUR_REDIRECT_URL&access_token=USER_ACCESS_TOKEN

The URL supplied in the next parameter must be a URL with the same base domain as your application as defined in your app's settings.

More details: https://developers.facebook.com/docs/authentication

Solution 4:[4]

You can do this with the access_token:

$access_array = split("\|", $access_token);

$session_key = $access_array[1];

You can use that $session key in the PHP SDK to generate a functional logout URL.

$logoutUrl = $facebook->getLogoutUrl(array('next' => $logoutUrl, 'session_key' => $session_key));

This ends the browser's facebook session.

Solution 5:[5]

With PHP I'm doing:

<a href="?action=logout">logout.</a>

if(isset($_GET['action']) && $_GET['action'] === 'logout'){
    $facebook->destroySession();
    header(WHERE YOU WANT TO REDIRECT TO);
    exit();
}

Works and is nice and easy am just trying to find a logout button graphic now!

Solution 6:[6]

Here's an alternative to the accepted answer that works in the current (2.12) version of the API.

<a href="#" onclick="logoutFromFacebookAndRedirect('/logout')">Logout</a>

<script>
    FB.init({
        appId: '{your-app-id}',
        cookie: true,
        xfbml: true,
        version: 'v2.12'
    });

    function logoutFromFacebookAndRedirect(redirectUrl) {
        FB.getLoginStatus(function (response) {
            if (response.status == 'connected')
                FB.logout(function (response) {
                    window.location.href = redirectUrl;
                });
            else
                window.location.href = redirectUrl;
        });
    }
</script>

Solution 7:[7]

the mobile solution suggested by Sumit works perfectly for AS3 Air:

html.location = "http://m.facebook.com/logout.php?confirm=1&next=http://yoursitename.com"

Solution 8:[8]

For Python developers that want to log user out straight from the backend

At the moment I'm writing this, the trick with m.facebook.com no longer works (at least for me) and user is redirected to the mobile FB login page which obviously is not good for UX.

Fortunately, FB PHP SDK has a semi-documented solution (in case the link doesn't lead to getLogoutUrl() function, just search look for it on that page). This is also mentioned in at least one other on StackOverflow: Facebook php SDK getLogoutUrl() problem.

BTW I've just noticed that Zach Greenberg got it right in this question, but I'm adding my answer as a summary for Python developers.

Solution 9:[9]

A note for Christoph's answer: Facebook Oauth Logout The logout function requires a callback function to be specified and will fail without it, at least on Firefox. Chrome works without the callback.

FB.logout(function(response) {});

Solution 10:[10]

@Christoph: just adding someting . i dont think so this is a correct way.to logout at both places at the same time.(<a href="/logout" onclick="FB.logout();">Logout</a>).

Just add id to the anchor tag . <a id='fbLogOut' href="/logout" onclick="FB.logout();">Logout</a>



$(document).ready(function(){

$('#fbLogOut').click(function(e){ 
     e.preventDefault();
      FB.logout(function(response) {
            // user is now logged out
            var url = $(this).attr('href');
            window.location= url;


        });
});});

Solution 11:[11]

Update: This solution works and just a call to 'FB.logout()' doesn't work because browser wants a user interaction to actually call this function, so that it knows - it is a user not a script.

<a href="#" onclick="FB.logout();">Logout</a>

Related Questions

Debug embedded browser view in native Facebook iOS app

Facebook Page Feed Webhook work in test but not when live

Facebook is not compressing Java Script files used in Like and Comment Plugin

Database schema for messaging to multiple users

Facebook SDK : logging out automatically

Facebook share error : "the page you requested cannot be displayed right now"

Getting public posts of a random user from Facebook API

Cannot deserialize the current JSON object (e.g. {"name":"value"}) into type 'System.Collections.Generic.List`1

Accessing friend list in facebook

Facebook adding tester users and admin is: (pending), what does that mean?

Installing Facebook APK in Genymotion

How to recover deleted Facebook app?

Facebook API – how to get Page-Scoped User ID (ids_for_pages is empty)?

How to exclude tagged posts from Facebook Graph API response

Facebook Pixel and Conversion API events deduplication stopped working