I know that this question have been asked before, but my scenario is a bit different. I'm trying to implement login with facebook feature into my website, which has SSL, but when I attempt to login I get an error message:
Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://
Ideas?
This solution was tested on a django application using Facebook OAuth
NOTE
my site already had SSL and is accessible via https
But when trying to login using Facebook OAuth i get the above error (Insecure Login Blocked)
My Solution
all i had to do was to set ( this configuration is done within application setting :: settings.py )
ACCOUNT_DEFAULT_HTTP_PROTOCOL = 'https'
helpful link
which literally means
use *https* instead of the default *http* when trying to login using social account e.g Facebook
Then i also set Valid OAuth Redirect URIs on facebook login settings to https://redirect_url.com
For non django application
If you're not using django, i believe there should be a base configuration file, where all your configurations for the application are done (it might be same file where you've configured your application to use social authentication).
Whatever library you're using to enforce social authentication, search for how you can allow redirect to be done via https instead of the default http and then add it to your application's configuration file.
I hope this helps someone save some time
Related
I have a website that uses the Facebook Login feature successfully and it still works as we speak. But I want to use the same facebook app on another website using the same keys etc...
But for some reason, even though I have added the correct URI's into the OAuth part of the Facebook page, I still get:
URL blocked: This redirect failed because the redirect URI is not
white-listed in the app's client OAuth settings. Make sure that the
client and web OAuth logins are on and add all your app domains as
valid OAuth redirect URIs.
Does anyone have any ideas on where I can start to find out why Facebook isn't accepting these new urls?
Okay, it seems to be working now - perhaps was a timing issue which was wierd because it updated straight away on previous sites.
Thanks again for the help though WizKid!
This is not another question asking if I need to buy an SSL cert for my site to have a facebook login.
My question is, is it possible, when using facebook's login with OAuth2, to NOT redirect the user to https:// www. facebook.com?
My problem is this, I run a bunch of wireless hotspots and would like the users to login via facebook. The problem is that I need to give them access to https ://www. facebook.com/login.php ( and a bunch of other urls). however with HTTPS I cannot allow access to paths on websites if its an SSL site. So is the another domain name that can be used (like HTTPS :// login.facebook.com*) or a way to send them to HTTP ://www. facebook.com/login?
EDIT:
Just to make it more clear what I am trying to do.
Open your browser and go to http://www.facebook.com/login, facebook will then redirect you to HTTPS:// www. facebook.com/login. That is the problem. Is there anyway, using the php sdk to force HTTP & not HTTPS
You only need SSL for Canvas Apps (running on apps.facebook.com/yournamespace, "App on Facebook" in the developer settings) and Page Apps ("Page Tab" in the developer settings), but not for external Websites.
Just fill in the input field "Website with Facebook Login" in the developer settings with your external Website (http://www.yourdomain.com/whatever).
Where you redirect the user to is totally up to you. For example, you can create any JavaScript redirection in the callback function of FB.login:
https://developers.facebook.com/docs/reference/javascript/FB.login/
TL;DR version:
Can you authenticate with Facebook without having a callback URL for a web application since the web application isn't actually running on a server.
Full explanation:
I'm working on building a connectedTV platform application where the "app" itself is a bunch of HTML/JS/CSS running locally (like File -> Open on your desktop browser) and I'd like to integrate Facebook into this.
The problem is that all of Facebook's OAuth calls for the web require you to have a callback URL to redirect the user to in order to complete authentication. Here's the gotcha -- there is no URL for this application -- it's a locally running webpage on the device.
I know this is what out-of-band authentication was designed for, but I can't seem to find any documentation on how to use this (or how to do a non-callback OAuth flow) with the Facebook OAuth system.
You're describing desktop authentication or any situation where you are authenticating to FB without a server. The redirect URL you pass to the OAuth dialog is https://www.facebook.com/connect/login_success.html When the browser redirects you can get the access token. You can read all about it in the FB documentation, way at the bottom in the Desktop Apps section (https://developers.facebook.com/docs/authentication/)
Just reread your question and since the application runs inside a browser you will need to open another window to authenticate and get the access token from that.
If you're doing HTML/Javascript, use their Javascript SDK. You can log the guy in simply by using FB.login and getting the access token from the callback from that.
I really don't think this is directly possible. Unless there is something totally undocumented, Facebook has no mechanism to send authentication data except by loading a url. I'm sure it's meant at least partly as a security measure, functioning as sort of a "whitelist" of where auth data will be sent.
The only way I can think of for you to work around it might be to set up a url on a server somewhere that could answer the redirect and store the auth data, and have your client-side code poll that server to get it. Kind of a proxy authentication service, in effect. You would probably have to open a second browser window with the Facebook auth screen in it, but in theory it could work.
I am creating a SaaS that will allow users to interact with it via their web applications. I would like to create a CAS type login mimicking Facebook connect so when you click the 'Login' button on the users website it will popup a window for you to login with my SaaS credentials.
I do not want the SaaS users site to be able to access the users login credentials so this is why I thought of CAS. However, it doesn't look like Facebook Connect redirects to the CAS server. It looks like they just popup a window to the facebook login then create a cookie once the user successfully logs into facebook. How then does the Facebook Connected site access that cookie?
I am wanting to basically be able to keep the end user on the current website without being redirected to my login application. I would like to mimic what facebook does with just popping up a little window and have them login then refresh the page after they login but I am not sure how to go about this.
Any ideas?
Facebook uses a third party cookie: they set a cookie on your domain that you can access to get the necessary credentials.
EDIT: the easiest example would be to look at PHP's setcookie function. Notice that there is a domain parameter. If you change the domain to match the domain of the actual website that initiated the authentication action then you'll be able to set a third-party cookie.
Note that on IE there are certain headers the domain that initiated the authentication action needs to set to allow your third-party cookie to be set. See http://www.spamcollect.com/archives/33 for a short writeup of how that works.
If you are working in a different language you'll need to use whatever cookie management functions they offer.
Another option may be to do this with CAS programmatically using the REST client.
https://wiki.jasig.org/display/CASUM/RESTful+API
In this way you could take the users details and login to CAS without being redirected.
Facebook uses Cross Domain communication which is what I will be using.
I am working on a site that uses Facebook Connect for user login/creation. I have a development server which is used for QA, and I'd like it to be password protected. We wanted to use HTTP basic authentication, but that seems to break Facebook Connect (it falls in a loop). Does anybody know why that may be happening?
I believe that basic authentication is done on a browser basis, and all the communication between Facebook and our site is done in the browser of the user. What could be the problem?
Facebook Connect uses iFrame inside iFrame hack to overcome cross domain boundaries limitation (see http://wiki.developers.facebook.com/index.php/Cross_Domain_Communication for details). My guess is that when Facebook redirects to the callback page (xd_receiver.htm) it fails because later requires basic authentication.
More information needed on the "falls in a loop". But based on your question, from what I've read is that facebook connect will create a random password on account creation, and if they are logging in over basic auth, it will need to be changed to match up(http://www.boonex.com/unity/forums/topic/facebook-connect-error-.htm)
But you don't specify if that's the way you are using FBconnect.
Are you requiring basic auth to get to the point of FBconnect account link/create?
Or are you using FBconnect to create the login for the basic auth?
How are you requiring basic auth? Server type?
Does everything work without requiring basic auth?