Skip to main content

Subscribe to GoRails to get access to this episode and all other pro episodes, and new awesome content every month.

Subscribe Now
Only $19/month

Unlimited access. Cancel anytime.

21 Login with Facebook

Episode 199 · July 24, 2017

Learn how to add Facebook login via OAuth using Omniauth



Subscribe or login to view the transcript for this episode.



Thanks for the video—it was great! I would love to see how you'd approach managing multiple OmniAuth strategies for a single user without Devise.…


Resource link replay video.
Thanks for great tutorial.


Wow, awesome episode Chris, very useful as always.


Thanks for the awesome tutorial.
In fb oauth, we are given an email address. But some platforms does not give an email address.
What is the best way to handle this case? I am trying to redirect a page where user can put their email address and save it. Could you please give me a guideline for this?


That would make for a good episode. I'll add this to my list. Luckily most of them, even Twitter, now provide email address.

The rough idea is that you should save the omniauth auth info to a cookie, and then redirect the user to set their email and save it all together.


So I followed the tutorial to the letter but kept getting this error when trying to authenticate:

`Could not authenticate you from Facebook because "Invalid credentials".`

Of course everything was copy pasted directly from the facebook developer screen so the credentials were correct. 45 minutes deep into stack overflow and I discovered that pasting this into my devise.rb (as a parameter after the app secret, before the scope) made things work.

`token_params: { parse: :json }`

Hope this helps anyone who's stuck, or maybe someone can tell me what I did wrong

Also fantastic episode Chris! Couldn't have gotten this far without this!


If we have an existing user in our application and he would like to login through Facebook having the same email address then this code breaks as the user was already exists with same email address in our Users table .


Watch the next episode in the series:

I have been enjoying learning this series. I noticed when I log out of devise and create a new devise account and then go connect the facebook it auto logs me in with the old session from the other user. Is there a way to allow some sort of session destroy or whats the best direction for this? Thanks 
You can't control the Facebook session (because that would be insecure), but you probably are thinking about this as a developer for testing purposes rather than a user. They'll only have one Facebook account, so when they approve your app, there is no reason to approve it a second time. For you testing, it feels weird, but that's exactly how you'd want it to work for your users.

You can visit your Facebook account's connected apps and revoke it each time if you want to fully reset the OAuth process so you get the approve permissions step each time.

My users are authenticating to access pages they manage. So I'm concerned if they connect a facebook account then realize the pages they need are in a different account. So I was thinking they could do some sort of disconnect. so they could attach a different facebook account. 
Ah okay, that makes sense. I think you always still authenticate as a Facebook user, and give access to your pages. So you should have API access to the user to get their pages and then let them choose and you'd just save that choice in your db. To let them remove it and choose again, you'd clear that record from your db, and then present them with the list of pages they manage from the API and save their choice.

Does that make sense? The last time I worked with Facebook pages was quite a few years ago. 
Yes. I'm successfully handing the pages as you mentioned. I'm sorry I don't think I was very clear before.  The user creates an account with Devise... in that account they "Connect" facebook. That gives access to pages they manage....... but what if they realize when no pages load that they connected the wrong facebook account... and therefore want to back track and disconnect that facebook account and attach a completely different one to the same devise user? 
Yeah, unfortunately there's no real action you can take there. It will automatically use their logged in account if it has been previously authorized. The only thing you can do is give them instructions on how to revoke the app on Facebook or tell them to log out. Only Twitter has an option for OAuth to force the user to login that I'm aware of. This is one of the big downsides to OAuth right now that should really be fixed and standardized.

Login or create an account to join the conversation.