My application is requesting authentication from Facebook. We found a problem if the user has already registered on Facebook and the user that they are logged in to Facebook because they have already allowed the application. Facebook will authenticate the application using the one you are logged in with without telling the user they are checking. We have users with multiple Facebook accounts, and this causes a problem because people authenticated the wrong account without being aware of it. I fixed this problem by adding auth_type = reauthenticate to the query string.
According to Facebook, the auth_type = reauthenticate parameter will always require the user to re-enter the password: https://developers.facebook.com/docs/reauthentication/
Unfortunately, the auth_type = reauthenticate parameter does not work for certain accounts. Most users will be asked to enter a password, but some users will simply pass the test if they have already allowed the application. There seems to be no reason auth_type = reauthenticate works for some users, but is ignored for other users. Users who ignore this value do this all the time.
I use the authorization url:
https://www.facebook.com/dialog/oauth?client_id= [my_client_id] & redirect_uri = [my_redirect_uri] & display = Pop-up & AUTH_TYPE = Reauthenticate & response_type = code% 20token & scope = publish_stream, manage_pages, offline_access
(With [my_client_id] and [my_redirect_uri] my values ββare replaced)
Is there a way to get ALL users to enter the password again, or is there some other way to get Facebook to show the user which account they authenticate?
source share