For sensitive actions on our website (such as password modification), we usually require our users to type again their old password and then the new one.
For a user using OpenId or Facebook Connect we would like to enforce something similar : even if the user is still logged on Facebook, doing something sensitive on our website would require him to authenticate again on Facebook (as in typing his password one again).
I managed to implement it for google with the PAPE extension, but I can’t find a way to do it for other OpenId providers or for Facebook Connect.
What would be the prefered way to implement it ?
Also, and it is related, we have young users (15-18 years old) using Facebook Connect : when they log out from our website they don’t realize they also need to log out from Facebook (because they never really went to Facebook). Because they are using public computers at their schools it might cause some trouble.
We were thinking about a warning message on log-out, saying something like “Don’t forget to log out from XXXX” with a link to do so.
What are the common practices in a such case ?
Thanks.
https://developers.facebook.com/docs/authentication/reauthentication/
Generate a logout URL through the SDK you’re using (example for the PHP SDK) – clicking on that link logs the user out of Facebook. (And it’s required by platform policies to provide such a link.)