I followed the link https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-facebook-authentication to set up Facebook login.
In the https://developers.facebook.com/apps, the "Valid OAuth redirect URIs" has the following URI
https://myapp.azurewebsites.net/.auth/login/facebook/callback
However, it still gets the error?
URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.
Update:
Added both https://myapp.azurewebsites.net/signin-facebook and https://myapp.azurewebsites.net/.auth/login/facebook/callback. And now the website got error of
A claim of type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' or 'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' was not present on the provided ClaimsIdentity. To enable anti-forgery token support with claims-based authentication, please verify that the configured claims provider is providing both of these claims on the ClaimsIdentity instances it generates. If the configured claims provider instead uses a different claim type as a unique identifier, it can be configured by setting the static property AntiForgeryConfig.UniqueClaimTypeIdentifier..
On the line of #Html.AntiForgeryToken() in d:\home\site\wwwroot\Views\Account\_ExternalLoginsListPartial.cshtm
Update:
Added the followign line in global.asax and the error above is gone.
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
However, it just shows the following message box with url of https://myapp.azurewebsites.net/.auth/login/done#_=_.
You have successfully signed in
-> RETURN TO THE WEBSITE
Clicking the link will return to the login screen. https://myapp.azurewebsites.net/ (which doesn't need to be authorized) stead of https://myapp.azurewebsites.net/event. Typing https://myapp.azurewebsites.net/event will show the login page again. (redirected to https://myapp.azurewebsites.net/Account/Login?ReturnUrl=%2Fevent)
As this official tutorial about Authentication and authorization in Azure App Service:
App Service Authentication / Authorization is a feature that provides a way for your application to sign in users so that you don't have to change code on the app backend. It provides an easy way to protect your application and work with per-user data.
You could browser at https://myapp.azurewebsites.net/.auth/login/facebook for logon.
URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs.
You could leverage fiddler to capture the network package to check your facebook logon processing as follows:
Note: Make sure the above redirect_uri has been added to Valid OAuth redirect URIs. HTTP or HTTPS could be a possible cause.
Additionally, if you use the Middleware UseFacebookAuthentication for authenticating users using Facebook, I assumed that you need to add http(s)://myapp.azurewebsites.net/signin-facebook to Valid OAuth redirect URIs or you could try to use the following code:
app.UseFacebookAuthentication(new FacebookAuthenticationOptions()
{
AppId = "{your-app-id}",
AppSecret = "{your-app-secret}",
CallbackPath = new PathString("/.auth/login/facebook/callback")
});
UPDATE:
I followed this tutorial about handling Facebook authentication by using OWIN in ASP.NET MVC5, I found that I could not retrieve the logged facebook user info and the returnUrl is not working. After some trials, I found that Facebook did a force upgrade of the graph API from v2.2 to v2.3 as follows:
Facebook Graph API, Changes from v2.2 to v2.3:
[Oauth Access Token] Format - The response format of https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {"access_token": {TOKEN}, "token_type":{TYPE}, "expires_in":{TIME}}. We made this update to be compliant with section 5.1 of RFC 6749.
You need to upgrade Microsoft.Owin.Security.Facebook to 3.1.0, or you need to implement the BackchannelHttpHandler mentioned in this issue.
Related
We have configured two redirect urls (different domain and valid https urls) in the slack app's oauth and permission section. When we try sso it works fine for the first redirect url and when doing sso for the second one we are getting {"ok":false,"error":"bad_redirect_uri"}. Please help us in resolving the issue
I had the same issue. The problem is that there are 2 more places where you have to specify the redirect_uri:
In the URL where you send users for authentication to get the verification code
https://slack.com/oauth/authorize?scope=your_scopes&redirect_uri=your_redirect_uri&client_id=your_client_app_id
When you exchange the verification code for an access token in the POST request to
https://slack.com/api/oauth.access. If you don't provide the redirect_uri specified in the API method documentation https://api.slack.com/methods/oauth.access you will get the {"ok":false,"error":"bad_redirect_uri"} response.
I'm using meter version 1.3.2.4
Facebook has announced that Valid OAuth redirect URIs must be included for apps using their service starting in March.
"In March, we're making a security update to your app settings that will invalidate calls from URIs not listed in the Valid OAuth redirect URIs field below.This update comes in response to malicious activity we saw on our platform, and we want to protect your app or website by requiring a new strict mode for redirect URIs."
I am adding what is the correct OAuth redirect URI for my application http://myapp.com/_oauth/facebook?close
After adding this redirect URI though I'm getting an error when trying to login:
Not Logged In: You are not logged in. Please login and try again.
Any ideas here?
I was getting this facebook login error:
URL Blocked
This redirect failed because the redirect URI is not
whitelisted in the app’s Client OAuth Settings. Make sure Client and
Web OAuth Login are on and add all your app domains as Valid OAuth
Redirect URIs.
Facebook login requires whitelisting of the call-back url.
what is the call back url for django-social-auth or python-social-auth ?
include a url to your website that is the absolute url version of this relative url:
/complete/facebook/
how to find this out?
use Chrome browser dev tools, enable preserve log, try to login to your app.
This question / answer is for django-social-auth but likely applies to python-social-auth too.
I am trying to use scribe for Facebook OAuth 2.0 implementation and I get below error
'{"error":{"message":"Error validating verification code. Please make
sure your redirect_uri is identical to the one you used in the OAuth
dialog
request","type":"OAuthException","code":100,"fbtrace_id":"FusY4X0TorE"}}'
I used the below URL to get Token
https://www.facebook.com/dialog/oauth?granted_scopes=1&response_type=code&client_id=473486006089780&scope=email,user_about_me,user_birthday,user_location&redirect_uri=https://www.bankbazaar.com/
I create my service as below
OAuthService service = new ServiceBuilder()
.provider(FacebookApi.class)
.apiKey("1415540682058832")
.apiSecret("07b182efcb587065ceef615a945d92a4")
.callback("https://www.bankbazaar.com/")
.build();
Let's say I get valid code/verifier from FB and use it to get access token
I print my Authorization URL and get something as below
https://www.facebook.com/v2.2/dialog/oauth?client_id=1415540682058832&redirect_uri=https%3A%2F%2Fwww.bankbazaar.com%2F
In my Facebook App page, I have the below setting
Kindly suggest where am I going wrong ?
You must set redirect URL in Valid OAuth redirect URIs. It is in Settings -> Advanced, scroll down to Client OAuth Settings-> Valid OAuth redirect URIs:
I'm performing the server side oAuth2 flow.
I noticed that google has added a cool feature for their oAuth2 signin API which is redirect_uri=postmessage so we don't show the real redirect_uri on the browser url bar and the authorization code won't be included in the redirect url.
For linkedin, when the users accepts to share his personal data with the app, the response url looks like :
http://dev.localhost.com:8080/auth/linkedin?code=xxxxxxxxxxx&state=yyyyyyyyyyyyy
it's the same for Google unless we replace the real redirect_uri by postmessage.
If the redirect_uri + the response code is set in the url Every malicious script could be able to retrieve the returned code from the url and perform its own authentications.
So, is there any way to hide the return parameters and the redirect_uri for LinkedIn and Facebook ?
LinkedIn and Facebook are not vulnerable to malicious scripts accessing the redirect_uri.
Assuming you use the recommended response_type=code both APIs require you make a request from your server that includes your API secret and the code value in order to get the users token. LinkedIn describes this in Exchange Authorization Code for a Request Token and Facebook describes this in Exchanging code for an access token.
Additional security with Facebook can enabled with requiring that every request be signed with your API secret. Additional protection in general can be had by using a strong Content Security Policy to help prevent malicious scripts from running in the first place. And be sure to host your site exclusively over TLS to prevent your own JavaScript from being modified.