Facebook login setting valid OAuth redirect URI
I get "this URL has been identified as malicious and/or abusive."
How can I fix it?
Related
What is the purpose of Facebook "Valid OAuth Redirect URIs" and how to use it?
What I should have on this URL?
Does Facebook send any data to the URL when a user is logged in using the Facebook Login on my site?
Here is a question about some redirecting but I think it is not OAuth Redirect: purpose of redirect URI in facebook.
"Valid OAuth Redirect URIs" can be configured in My Apps > {your app} > Facebook Login > Settings.
"Valid OAuth Redirect URIs", which I'll call only redirect_uri, is used when you Manually Build a Login Flow.
In this case redirect_uri is a URL to which your web user is redirected after login.
Facebook sends code and state as URL parameters when redirect to redirect_uri.
On the redirect_uri on your http server you should have a programming code which verify the state and use the code to get an access_token.
Example how to make server side API calls:
1. Your login page
On your web page (e.g. https://yourdomain.com/fb-login.html) you have the following Login link:
Login
111 is you Facebook App ID.
https%3A//yourdomain.com/fb-auth.html is your redirect_uri and has to match what you configured in "Valid OAuth Redirect URIs".
mystate123 is your custom state or kind of session ID which you can use to verify that the callback is initiated from your login page. Facebook: "A string value created by your app to maintain state between the request and callback.".
2. Facebook Login window
When the user click "Login" the Facebook Login window appears and she/he enters her/his username and password. After that, on successful login, the user is redirected to
https://yourdomain.com/fb-auth.html?code=JQJc5CF&state=mystate123
3. Extract parameters from the callback
When the GET request of the above URL hits your http server you have to extract the code and should extract the state from the URL.
4. Verify the state (optional)
You can verify that the state is matching the state you provided on your Login button at fb-login.html
5. Get access_token
On your server you have to make another GET request to get an access_token. This is server to server call, thus you can include your client_secret. WARNING: Never include your client_secret in client-side code!
https://graph.facebook.com/v9.0/oauth/access_token?client_id=111&redirect_uri=https%3A//yourdomain.com/fb-auth.html&client_secret=222&code=JQJc5CF
The response is:
{
"access_token": "IEESb4Z",
"token_type": "bearer"
}
6. Make API calls
Now you can use the access token to make API calls:
https://graph.facebook.com/v9.0/me?fields=id,name,email&access_token=IEESb4Z
2 weeks ago we received a message on developers.facebook.com about our app appears to be creating a negative experience on Facebook, and it violate the privacy policy of Facebook.
We recived an email with the same info, and 4 paragraph which countained that we need to check the Facebook documentation, and we should try to search the issue on stackoverflow, etc.
I checked the GDPR fields (I am in EU) and my used and already approved permissions with my code. BTW my approved items: email and default. I need this permission, because I have a login system on my website - so we have a need for the name, email and avatar of the user and for this data to be saved in our database.
I had an alert previously about OAuth redirect URIs or enabled Strict Mode validation. I filled the OAuth field with a valid url and I enabled "Strict Mode for Redirect URIs".
After I submitted an app review.
And now, the Facebook restricted our app and we don't have any clue where to look for the error.
To login I requested data: public_profile, email.
auth_type: rerequest
response_type: code granted_scopes
redirect uri: mywebpage.tld/get_facebook_profile
In Facebook login settings page:
Client OAuth Login: yes
Web OAuth Login: yes
Force Web OAuth Reauthentication: no
Use Strict Mode for Redirect URIs: yes (and now it's unchangeable)
Enforce HTTPS: yes (unchangeable too)
Embedded Browser OAuth Login: no
Valid OAuth Redirect URIs: filled with a valid url, and yes, I use https
Login from Devices: no
If I copy the Valid OAuth Redirect URIs to Redirect URI Validator field and if I click "Check URI", I get a message about my URI is valid.
I'm thinking.
The "Deauthorize Callback URL" and "Data Deletion Request URL" field are empty and I think it is not required. The Facebook maybe restricting us about this? Or we need a higher user permissions, because we store user data?
Anyway and seriously, where do we get the information about why facebook restricted our app on Facebook, if Facebook refuses to help and dont give any technical information?
It was solved. The "Deauthorize Callback URL" and the "Data Deletion Request URL" is required in EU, because we have GDPR oc.
I followed the link https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-facebook-authentication to set up Facebook login.
In the https://developers.facebook.com/apps, the "Valid OAuth redirect URIs" has the following URI
https://myapp.azurewebsites.net/.auth/login/facebook/callback
However, it still gets the error?
URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.
Update:
Added both https://myapp.azurewebsites.net/signin-facebook and https://myapp.azurewebsites.net/.auth/login/facebook/callback. And now the website got error of
A claim of type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' or 'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' was not present on the provided ClaimsIdentity. To enable anti-forgery token support with claims-based authentication, please verify that the configured claims provider is providing both of these claims on the ClaimsIdentity instances it generates. If the configured claims provider instead uses a different claim type as a unique identifier, it can be configured by setting the static property AntiForgeryConfig.UniqueClaimTypeIdentifier..
On the line of #Html.AntiForgeryToken() in d:\home\site\wwwroot\Views\Account\_ExternalLoginsListPartial.cshtm
Update:
Added the followign line in global.asax and the error above is gone.
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
However, it just shows the following message box with url of https://myapp.azurewebsites.net/.auth/login/done#_=_.
You have successfully signed in
-> RETURN TO THE WEBSITE
Clicking the link will return to the login screen. https://myapp.azurewebsites.net/ (which doesn't need to be authorized) stead of https://myapp.azurewebsites.net/event. Typing https://myapp.azurewebsites.net/event will show the login page again. (redirected to https://myapp.azurewebsites.net/Account/Login?ReturnUrl=%2Fevent)
As this official tutorial about Authentication and authorization in Azure App Service:
App Service Authentication / Authorization is a feature that provides a way for your application to sign in users so that you don't have to change code on the app backend. It provides an easy way to protect your application and work with per-user data.
You could browser at https://myapp.azurewebsites.net/.auth/login/facebook for logon.
URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.
You could leverage fiddler to capture the network package to check your facebook logon processing as follows:
Note: Make sure the above redirect_uri has been added to Valid OAuth redirect URIs. HTTP or HTTPS could be a possible cause.
Additionally, if you use the Middleware UseFacebookAuthentication for authenticating users using Facebook, I assumed that you need to add http(s)://myapp.azurewebsites.net/signin-facebook to Valid OAuth redirect URIs or you could try to use the following code:
app.UseFacebookAuthentication(new FacebookAuthenticationOptions()
{
AppId = "{your-app-id}",
AppSecret = "{your-app-secret}",
CallbackPath = new PathString("/.auth/login/facebook/callback")
});
UPDATE:
I followed this tutorial about handling Facebook authentication by using OWIN in ASP.NET MVC5, I found that I could not retrieve the logged facebook user info and the returnUrl is not working. After some trials, I found that Facebook did a force upgrade of the graph API from v2.2 to v2.3 as follows:
Facebook Graph API, Changes from v2.2 to v2.3:
[Oauth Access Token] Format - The response format of https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {"access_token": {TOKEN}, "token_type":{TYPE}, "expires_in":{TIME}}. We made this update to be compliant with section 5.1 of RFC 6749.
You need to upgrade Microsoft.Owin.Security.Facebook to 3.1.0, or you need to implement the BackchannelHttpHandler mentioned in this issue.
I was getting this facebook login error:
URL Blocked
This redirect failed because the redirect URI is not
whitelisted in the app’s Client OAuth Settings. Make sure Client and
Web OAuth Login are on and add all your app domains as Valid OAuth
Redirect URIs.
Facebook login requires whitelisting of the call-back url.
what is the call back url for django-social-auth or python-social-auth ?
include a url to your website that is the absolute url version of this relative url:
/complete/facebook/
how to find this out?
use Chrome browser dev tools, enable preserve log, try to login to your app.
This question / answer is for django-social-auth but likely applies to python-social-auth too.
I am trying to use scribe for Facebook OAuth 2.0 implementation and I get below error
'{"error":{"message":"Error validating verification code. Please make
sure your redirect_uri is identical to the one you used in the OAuth
dialog
request","type":"OAuthException","code":100,"fbtrace_id":"FusY4X0TorE"}}'
I used the below URL to get Token
https://www.facebook.com/dialog/oauth?granted_scopes=1&response_type=code&client_id=473486006089780&scope=email,user_about_me,user_birthday,user_location&redirect_uri=https://www.bankbazaar.com/
I create my service as below
OAuthService service = new ServiceBuilder()
.provider(FacebookApi.class)
.apiKey("1415540682058832")
.apiSecret("07b182efcb587065ceef615a945d92a4")
.callback("https://www.bankbazaar.com/")
.build();
Let's say I get valid code/verifier from FB and use it to get access token
I print my Authorization URL and get something as below
https://www.facebook.com/v2.2/dialog/oauth?client_id=1415540682058832&redirect_uri=https%3A%2F%2Fwww.bankbazaar.com%2F
In my Facebook App page, I have the below setting
Kindly suggest where am I going wrong ?
You must set redirect URL in Valid OAuth redirect URIs. It is in Settings -> Advanced, scroll down to Client OAuth Settings-> Valid OAuth redirect URIs: