Skip to main content

Login with Facebook Discussion

General • Asked by Chris Oliver

Thanks for the video—it was great! I would love to see how you'd approach managing multiple OmniAuth strategies for a single user without Devise.…


Resource link replay video.
Thanks for great tutorial.


Wow, awesome episode Chris, very useful as always.


Thanks for the awesome tutorial.
In fb oauth, we are given an email address. But some platforms does not give an email address.
What is the best way to handle this case? I am trying to redirect a page where user can put their email address and save it. Could you please give me a guideline for this?

That would make for a good episode. I'll add this to my list. Luckily most of them, even Twitter, now provide email address.

The rough idea is that you should save the omniauth auth info to a cookie, and then redirect the user to set their email and save it all together.


So I followed the tutorial to the letter but kept getting this error when trying to authenticate:

`Could not authenticate you from Facebook because "Invalid credentials".`

Of course everything was copy pasted directly from the facebook developer screen so the credentials were correct. 45 minutes deep into stack overflow and I discovered that pasting this into my devise.rb (as a parameter after the app secret, before the scope) made things work.

`token_params: { parse: :json }`

Hope this helps anyone who's stuck, or maybe someone can tell me what I did wrong

Also fantastic episode Chris! Couldn't have gotten this far without this!


If we have an existing user in our application and he would like to login through Facebook having the same email address then this code breaks as the user was already exists with same email address in our Users table .

Watch the next episode in the series: https://gorails.com/episode...


I have been enjoying learning this series. I noticed when I log out of devise and create a new devise account and then go connect the facebook it auto logs me in with the old session from the other user. Is there a way to allow some sort of session destroy or whats the best direction for this? Thanks 
You can't control the Facebook session (because that would be insecure), but you probably are thinking about this as a developer for testing purposes rather than a user. They'll only have one Facebook account, so when they approve your app, there is no reason to approve it a second time. For you testing, it feels weird, but that's exactly how you'd want it to work for your users.

You can visit your Facebook account's connected apps and revoke it each time if you want to fully reset the OAuth process so you get the approve permissions step each time.

My users are authenticating to access pages they manage. So I'm concerned if they connect a facebook account then realize the pages they need are in a different account. So I was thinking they could do some sort of disconnect. so they could attach a different facebook account. 
Ah okay, that makes sense. I think you always still authenticate as a Facebook user, and give access to your pages. So you should have API access to the user to get their pages and then let them choose and you'd just save that choice in your db. To let them remove it and choose again, you'd clear that record from your db, and then present them with the list of pages they manage from the API and save their choice.

Does that make sense? The last time I worked with Facebook pages was quite a few years ago. 
Yes. I'm successfully handing the pages as you mentioned. I'm sorry I don't think I was very clear before.  The user creates an account with Devise... in that account they "Connect" facebook. That gives access to pages they manage....... but what if they realize when no pages load that they connected the wrong facebook account... and therefore want to back track and disconnect that facebook account and attach a completely different one to the same devise user? 
Yeah, unfortunately there's no real action you can take there. It will automatically use their logged in account if it has been previously authorized. The only thing you can do is give them instructions on how to revoke the app on Facebook or tell them to log out. Only Twitter has an option for OAuth to force the user to login that I'm aware of. This is one of the big downsides to OAuth right now that should really be fixed and standardized.

With more and more concerns over the security and usage of user data at Facebook, does anyone have second thoughts about providing Facebook as an option?

I try to never use OAuth to login unless it's something that'll need access to that account (like a deployment tool that needs access to Github, might as well login to the app with Github then). It makes perfect sense in this case.

The thing I don't like is using social login on a website, you can't use the app anymore if you stopped using the social site. That's crappy and with lastpass, etc it's real easy to just generate passwords and login with email anymore. And phones are getting better about this too, but they still lag behind a bit.

Mailchimp has a great post on social logins that has since been taken down it seems: https://web.archive.org/web/20180820002438/https://blog.mailchimp.com/social-login-buttons-arent-worth-it/

That's a very interesting article, and also the one referenced within in. I hadn't thought too much about it making sites look like the side of a Nascar. Either way, I think I'll leave it out of my sign_up process for the time being.


Login or Create An Account to join the conversation.

Subscribe to the newsletter

Join 18,000+ developers who get early access to new screencasts, articles, guides, updates, and more.

    By clicking this button, you agree to the GoRails Terms of Service and Privacy Policy.

    More of a social being? We're also on Twitter and YouTube.