Hi, I have been using Facebook Login for authentication into a Rails application, that uses omniauth and omniauth-facebook. Graph API is used only for user authentication. The integration has been implemented and working for more than a year. There are no issues with the integration itself, however I noticed a change in the flow. I would like to find out if this is intentional on the Facebook side or does this need tweaking on the application side.
When a user is already signed into Facebook in his browser and then he opens another tab in the same browser to sign into the Rails application, he clicks the Facebook icon and this click initiates a request to the Facebook and signs user into the Rails application.
During the integration and until quite recently, in above cases user would get a quick redirect to the Facebook and back to the Rails app, where he would be authenticated. So the entire authentication flow required user to click the Facebook icon in the Rails app. This applied only to cases when user is already signed into Facebook at the moment he clicks the Facebook icon in the Rails app. It's a different story if user is not signed into Facebook.
Recently I noticed that the flow described above has changed, now if a user who is already signed into Facebook clicks on the Facebook icon he is redirected to Facebook page with a modal, page url is something like https://www.facebook.com/privacy/consent/gdp/?params.....¶ms%5Bsteps%5D=%7B%22read%22%3A%5B%22email%22%2C%22public_profile%22%2C%22baseline%22%5D%7D¶ms%5Btp%5D=%22unspecified%22¶ms%5Bcui_gk%5D=%22%5BPASS%5D%3A%22¶ms%5Bis_limited_login_shim%5D=false&source=gdp_delegated
Modal on the page says: "Rails app is requesting access to: Your name and profile picture and email address." or "You previously logged in to Rails app with Facebook. Would you like to continue?"
And there are two buttons "Continue as Username" and "Cancel".
This requires the user to perform one more step in the authentication flow (click a continue button on this confirmation modal) and I would like to ensure seamless authentication as it was before so users don't have to provide this confirmation if they are already signed into Facebook within the same browser.
Unfortunately, I cannot recall exact date when the flow has changed but I remember the flow being seamless when I integrated it less than a year ago. I wonder if this is something intentionally enforced by Meta or is it something that can be fixed on my side?
Thank you.

Tag:-

Add a new comment.