If you have the Save Surfing setting in your account settings in Facebook set to unsecured, you notice you use Facebook via HTTP. Of course if you set it to On, you surf via HTTPS.
Now all Facebook apps are using HTTPS since Facebook doesn't allow apps to use HTTP since October 2011. But if a user (with no HTTPS on their Facebook account) wants to visit the Secured HTTPS App it just gives an empty page.
Is this a bug from Facebook, or?
Now all Facebook apps are using HTTPS since Facebook doesnt allow apps to use HTTP since October 2011.
That’s not true.
All canvas/page tab apps must offer the option to be accessed via HTTPS – but should offer HTTP as well.
But if a user (with no HTTPS on there Facebook account) wants to visit the Secured HTTPS App it just gives an empty page. Is this a bug from Facebook, or?
No, this is an error on your (resp. the app developers) part – in the app settings, there should be URLs set for both HTTP and HTTPS.
If that’s the case, then a user browsing Facebook via HTTP has no problem accessing the app as well.
Related
I have a website that uses the Facebook Login feature successfully and it still works as we speak. But I want to use the same facebook app on another website using the same keys etc...
But for some reason, even though I have added the correct URI's into the OAuth part of the Facebook page, I still get:
URL blocked: This redirect failed because the redirect URI is not
white-listed in the app's client OAuth settings. Make sure that the
client and web OAuth logins are on and add all your app domains as
valid OAuth redirect URIs.
Does anyone have any ideas on where I can start to find out why Facebook isn't accepting these new urls?
Okay, it seems to be working now - perhaps was a timing issue which was wierd because it updated straight away on previous sites.
Thanks again for the help though WizKid!
The instructions from Janrain for social login provider setup conflict with the hint within the error message from the Facebook https response. Details follow.
Error screen when testing Facebook from Janrain; note that same error happens in any browser such as Firefox, Chrome if you test the sign-in widget.
Error Text from Facebook:
App domains must match the domain of the Facebook Web Games URL (https), Mobile Site URL, Unity Binary URL, Site URL or Secure Page Tab URL.
Please correct these domains: (snip).
Based on the hints from the Janrain Facebook Provider Setup wizard, I have set the website to the URL on rpxnow (i.e. definitely not my web site).
What URL(s) should then be entered into Basic and/or Advanced Settings such that Facebook can process the login? I have tried using the rpxnow URLs and my own web site URLs. Either of 2 things happens regardless of whether I include https:// or start from the subdomain of any combination of names. Either Facebook will not save the details on Basic App Domain and gives the above error, or Facebook will save the details but then gives the error in the first screenshot above.
I do not see how this can ever work because Facebook wants a match on the domain and rpxnow will never be the domain that I use to invoke the sign-in.
For completeness, I will show my Facebook settings, so it will be obvious that they do not match the current Janrain Setup Guide for Facebook.
Basic Settings
Is the Namespace relevant? Better to leave blank? Does it need to match something within Janrain?
Advanced Settings
I could believe that something has to be done to allow cross-domain access. Does anyone have this working with a new Janrain account (3 weeks old) and a new Facebook developer account (old Facebook account, new developer app)?
Replying as an answer so I can attach a picture.
I have a feeling this might be something to do with Facebook's impending changes to their app security (https://developers.facebook.com/blog/post/2017/12/18/strict-uri-matching/ ). It appears that you need to add the Valid OAuth redirect URI for any new API v2.11 apps now (not after March). We were already planning to address this before March but we will have to update sooner.
For your Facebook app you will have to set up the "Valid oAuth redirect URIs" similar to the following screen shot, just replace "pbjanraintest" with whatever your Engage app name is:
Sorry for all the trouble you have had. It's hard to keep up with these providers when the messaging doesn't align with what their apps and api's are actually doing.
I just received the same error this week. Leave off the https:// in the OAuth redirect URIs box.
This is not another question asking if I need to buy an SSL cert for my site to have a facebook login.
My question is, is it possible, when using facebook's login with OAuth2, to NOT redirect the user to https:// www. facebook.com?
My problem is this, I run a bunch of wireless hotspots and would like the users to login via facebook. The problem is that I need to give them access to https ://www. facebook.com/login.php ( and a bunch of other urls). however with HTTPS I cannot allow access to paths on websites if its an SSL site. So is the another domain name that can be used (like HTTPS :// login.facebook.com*) or a way to send them to HTTP ://www. facebook.com/login?
EDIT:
Just to make it more clear what I am trying to do.
Open your browser and go to http://www.facebook.com/login, facebook will then redirect you to HTTPS:// www. facebook.com/login. That is the problem. Is there anyway, using the php sdk to force HTTP & not HTTPS
You only need SSL for Canvas Apps (running on apps.facebook.com/yournamespace, "App on Facebook" in the developer settings) and Page Apps ("Page Tab" in the developer settings), but not for external Websites.
Just fill in the input field "Website with Facebook Login" in the developer settings with your external Website (http://www.yourdomain.com/whatever).
Where you redirect the user to is totally up to you. For example, you can create any JavaScript redirection in the callback function of FB.login:
https://developers.facebook.com/docs/reference/javascript/FB.login/
The Facebook documentation says that since October 1, 2011 canvas apps must provide access over HTTPS. Is the opposite true? Must canvas apps provide access over HTTP? I'd rather have my app accessible through HTTPS only. Will Facebook users using HTTP be able to use my app if I don't provide a non-secure endpoint?
If you only specify a secure URLK - they will not be. They will be prompted with a layer asking them to enable secure browsing. They will NOT be able to access you application.
I have an app that only runs on https. So my Pag Tab URL and Secured Page Tab URL have the same https url.
I have noticed that I get a blank signed request for users who are using Facebook on http.
Is there a way by which I can get the users to see my secured content even when they are accessing facebook from http?
Facebook says that this configuration is not supported by design. Apps must be available via both HTTP and HTTPS.
Source: http://developers.facebook.com/bugs/210713629051920/
Unfortunately it is necessary you always provide a HTTP alternative
for FB users who want to visit your App under HTTP. In your specific
case, in your http endpoint you will be able to display an specific
message to these users encouraging them to visit the HTTPS version of
your App.