I'm implementing authentication with OAuth 2 providers by Google and Facebook using Flask-OAuthlib package.
For Google, I'm using this:
google = oauth.remote_app(
"google",
consumer_key=client_id,
consumer_secret=client_secret,
request_token_params={"scope": "email"},
base_url="https://www.googleapis.com/oauth2/v1/",
request_token_url=None,
access_token_method="POST",
access_token_url="https://accounts.google.com/o/oauth2/token",
authorize_url="https://accounts.google.com/o/oauth2/auth",
)
For Facebook, the code is similar:
facebook = oauth.remote_app(
"facebook",
consumer_key=client_id,
consumer_secret=client_secret,
request_token_params={"scope": "email"},
base_url="https://graph.facebook.com/",
request_token_url=None,
access_token_method="GET",
access_token_url="/oauth/access_token",
authorize_url="https://www.facebook.com/dialog/oauth",
)
More complete examples are available here.
When using Google provider, I can successfully login, and once I logoff, when I try to login again, I'm redirected to Google's page which shows the list of accounts and let me chose one.
When using Facebook provider, I can successfully login, but once I logoff, when I login again, Facebook doesn't ask anything any longer, and simply logins me automatically with the previously used account.
How do I force Facebook to reauthenticate, i.e. show every time to the user the Facebook page which makes it possible to select a given account?
Found it.
The line:
request_token_params={"scope": "email"},
should be replaced by:
request_token_params={"scope": "email", "auth_type": "reauthenticate"},
In fact, according to the official documentation:
To re-authenticate, you can use these same steps with additional parameters to force it:
[...]
reauthenticate- asks the person to re-authenticate unconditionally