I am trying to create a website that can run on a few different subdomains that has FaceBook integration. I would ideally like domain1.mysite.com and domain2.mysite.com etc etc to work with 1 Facebook app, and not have to set each one individually in the app's 'Valid OAuth redirect URIs'.
This: How to add multiple facebook callback urls is the only thing I have found on the topic. While it does work, I am unsure if that is properly secure or if it just happens to work and will get fixed up at a later date. Anyone have some insight on this?
Related
I have a website that uses the Facebook Login feature successfully and it still works as we speak. But I want to use the same facebook app on another website using the same keys etc...
But for some reason, even though I have added the correct URI's into the OAuth part of the Facebook page, I still get:
URL blocked: This redirect failed because the redirect URI is not
white-listed in the app's client OAuth settings. Make sure that the
client and web OAuth logins are on and add all your app domains as
valid OAuth redirect URIs.
Does anyone have any ideas on where I can start to find out why Facebook isn't accepting these new urls?
Okay, it seems to be working now - perhaps was a timing issue which was wierd because it updated straight away on previous sites.
Thanks again for the help though WizKid!
I'm trying to build a "RSVP to this event" action using the Facebook JS SDK.
All of our sites run on multiple subdomains (event1.example.com, event2.example.com) and I'm trying to setup a single Facebook app that will allow people to RSVP.
Ideally I'd like to be able to specify wildcard subdomains in the Valid OAuth redirect URIs settings, but Facebook doesn't seem to allow that.
Previous StackOverflow answers said that either just putting in the top-level domain or leaving that field blank would work (for example), but I always get the This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings error.
Frustratingly, we shouldn't need any sort of redirect callback to the server. I just want a short-lived token to post the event RSVP which should be possible client-side only.
Is there any way to accomplish this?
The options I can think of...
One app per subdomain We have 100s of subdomains, so creating Facebook apps for each isn't going to work (plus that's a manual process)
List all subdomains as redirect URIs it appears Facebook has a limit on the number of redirect URIs, plus this is also a manual process - there's no API endpoint for adding these
Set the redirect URI via JS to our root domain and then just ignore the callback - this seemed promising, but calling FB.login with a redirect_uri param gave an error: When using FB.ui, you should not specify a redirect_uri. Is there a way to do this without FB.login?
Somehow let Facebook know we don't care about those redirects at all -- is there some other way to request permissions and make a JS API call without needing the oauth redirect?
Thanks in advance for any insights...
I don't think so that there is a way you can login through Facebook on multiple domains, but there is a proper work-around to implement sign-in on multiple domains it's called Single Sign On:
See:
https://www.sitepoint.com/single-sign-on-explained/
https://github.com/cubiclesoft/sso-server
We could use one specific sub domain/main domain itself to handle the facebook authentication
Every time pass the state which includes subdomain redirect uri so that need not to adding sub domains to redirect uri list
I know that facebook allow me to specify multiple domains for my app.
But in the "Website with Facebook Login" i can only specify one url.
Is it possible for me, to authenticate users on domain.se, domain.dk and domain.net with the same App ? Or should i still create one app, for each domain ?
It is technically possible to use Facebook Connect on multiple domains, there are some limits (5 domains max).
So the key to doing this is adding all domains in the App Domain field under your app settings.
The PROBLEM, however, is that Facebook only lets you add domains that are derived from your Canvas URL or Site or Page tag URLs, so if you try to enter anything else you get an error that looks like this:
The SOLUTION is to create App on Facebook, Website, and Facebook Tab using the ADD PLATFORM button and then put in URLs that point to your other domains. Here is an example of what I mean:
If you use a unique domain for each field you can max out with 5 different domains. I have tested this technique with up to 3 domains, but i think it should work for all 5.
Note: Facebook admin features change from time to time, so all of this is subject to change
As long as you listed all the desired App Domains in application settings you should be able to authenticate users on any of them.
"Website with Facebook Login" is really only intended to be used as link to your site/application.
Update 2 (July 2016):
App domains must match the domain of the Secure Canvas URL, Mobile Site URL, Unity Binary URL, Site URL or Secure Page Tab URL.
Update (December 2013):
At the time of writing original answer it was possible to list any domains in application settings but from that time the UI of Application Settings (as well as way of handling Application Domains) changed at least couple of times, at some point you could only list domains that derive from one of application's canvas pages.
As of December 2013 it is possible (again) to list domains that do not derive from application canvas URL.
Assuming your domains are being served by the same web server and you have access to that web server, you can use the manual login procedure: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow to login from as many domains as you wish.
Assume your domains are site1.com,site2.com.... Instead of using the Facebook javascript API, you will simply place a plain old Log In with Facebook button on each site which will redirect the browser to the facebook login page as described in the above article. In the state variable you can specify a code which indicates which of your sites is requesting a login. In the redirect you will use a single service domain which you assign to your web server (e.g. fb.mywebserver.com) and which you specify as the verified redirect url in the facebook login settings page. All the sites will redirect to this same url, avoiding the problem of supporting multiple domains.
Once the user has logged in, the browser will redirect to fb.mywebserver.com and pass it the state, which tells you which site is requesting login and a code which you can use on the back end to retrieve the user's info using the Facebook graph apis. You store this info with a uid in your data store then using the info in state, you redirect to to the appropriate site including a parameter that indicates a Facebook login (e.g. site1.com?fbc={some uid}). The browser will obediently then call site1.com?fbc... Your web server will receive this request and detect the fbc parameter which tells it to associate the corresponding Facebook logged in user with this site. It can then retrieve the logged in users info using the uid and, for example, return a session cookie for this user along with the page. If you generate the page on the server you can, of course, also include a welcome "user" or alternatively, your client code can do an ajax call to retrieve that information.
From the user's standpoint they press the Login with Facebook button, are redirected to a Facebook login page where they login and then are redirected back to your site in a logged in state. Not quite as nice as having the login popup but likely acceptable.
A similar process can be used for google logins as well
Best thing I've found to do in the development/production scenario is add a "Test App", then add a platform for your development web site - as you have to provide where the "page tab url" lives if you use that as a platform.
Facebook requires your "page url" to be live / accessible if you need to apply for status or permission review.
This got me around the "login in development" / "login in production" scenario.
on the facebook developers site it recommends using the OAuth Dialog where you use
https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_CANVAS_PAGE
replacing the the YOUR_APP_ID and YOUR_CANVAS_PAGE with what you have
my question is where am I supposed to put this?
do I put this somewhere on my index.php for my canvas page?
or aside from creating your app, do I need to make a website where info of my app should be displayed together with a link to my app using the OAuth Dialog?
You need to create website that will have the content of the app, since facebook will display it in the iframe.
As for the link you mentioned, it is used to get permissions (basic information, user's email etc). If you need that kind of information about the user, you have to redirect him there so he can grant the permission. If your app doesn't require any information about the user, you can just skip the authorization part.
I have a website based game that has login accounts that I want to integrate into facebook (not facebook connect, I want to use an iframe canvas page).
My question is how can I authenticate a user and how can I check if a user is coming from facebook or directly from the site.
I have been playing around with require_login() using the PHP library. My main fear is how can I authenticate that the GET parameters from facebook are indeed from facebook? If I can do that then I can store their facebook session id and Uid in a session as login credentials.
My other worry is that the GET variable may get passed as a reffer to an external link.
Finally... I find in some browsers that with require_login() that it breaks out of the iframe and gets into an eternal look continually adding additional authtoken's to the URL.
Hope someone can help
Yes you can create a app that works independently as well as facebook app. For the facebook you will have to use the facebook's iframe method to work under facebook.
You can verify the request comes from Facebook by verifying the signature in the same way that Facebook checks that API requests come from your application. With the PHP client library you can use the validate_fb_params() method of the Facebook class to do this automatically.
Bear in mind that session key's are temporary so the user will keep needing to authenticate with Facebook through your application otherwise the key expires within the hour. You may also run into a 3rd party cookie issue with Safari if you're hoping to store the session key in a cookie, and you'll need a compact privacy for quite a few other browser/privacy setting combinations as well. Something like:
<?php
header('P3P: CP="CAO PSA OUR"');
?>
in an include would do it.
And yes: the session key may be passed to external sites as in the referrer properties. It's just one of the security flaws that the platform currently has. The only way around that is either to redirect all external clicks through a handler which removes the referrer, or redirect on page load to strip the fb_sig_ss parameter out.