I've set up my FB app so that it has a Mobile Web URL component. I've noted from testing that whenever I navigate to canvas URL of my app on a mobile device, Facebook automatically redirects the mobile to the defined Mobile Web URL.
If I do the same from desktop, the canvas URL is loaded in to the browser. In other words, if FB detects a mobile device when navigating to an app's canvas URL, it will immediately redirect to a defined Mobile Web URL and not load the canvas URL content.
The problem with this is that when the canvas URL loads, FB passes to it a signed_request form parameter. Yet, when it redirects to the Mobile Web URL it does not.
I noticed when checking a network sniffer that when on mobile Facebook redirects the app.facebook.com URL to m.facebook.com, and thought perhaps the signed_request was getting lost along the way. But when checking the first call to the canvas URL there was no signed_request there either.
It's like Facebook only provides the signed_request when it processes the canvas URL, which in the case of mobile is never.
Has anyone any insight or advice on how to get the signed_request? My only thought at the moment is forcing the user to authorise the app on mobile as soon as they are redirected, but i'd rather not do that if possible (I'm not a fan of gating techniques)
Cheers
Lee
--- EDIT ---
Closing - see my answer.
I've since come to the conclusion that Mobile URLs do not receive the signed_request, and to get the same sort of data requires the users to be put through the FB Auth process. Closing the question.
Your mobile app should be passed a "code" in the query string if the person has authorized your app. Your backend can exchange that code for an access_token and then you can use that to get the current user info by requesting https://graph.facebook.com/me?access_token=[token retrieved from code exchange]. That will allow you to automatically login the current user.
But yes, you do not receive info like the current user's country, locale, and age if they have not authenticated. That is a limitation of mobile web apps currently.
Related
I am attempting to implement a simple Facebook login flow for a web application using HTTP redirects, as detailed at https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2.
For the purposes of making this question generic, let's say the application URL is www.example.com/app.php. On the application page, there is a link which directs users to Facebook's OAuth endpoint, where ideally:
they log in to Facebook (if not already logged in) and approve my application permission to access their public profile
they are then redirected back to my application's URL along with some extra parameters appended (e.g. www.example.com/app.php?code=...&access_token=... if the login was successful, or www.example.com/app.php?error_reason=...&error=...&error_description=... if login/app approval was unsuccessful)
The Facebook OAuth endpoint is:
www.facebook.com/dialog/oauth?client_id=12345&redirect_uri=www.xyz.com/app.php
where I have filled in the client_id and redirect_uri parameters with my application's ID and my application's URL respectively.
What actually happens whenever I access the link is that it immediately redirects back to my application's homepage - without ever showing a login dialog of any kind. This happens with Firefox and with Chrome - both when I am logged in to Facebook and when I am not, in normal sessions and in incognito sessions with no plugins enabled. From the browser inspector, I can see that the Facebook OAuth page is definitely requested but is straight away 302 redirecting to my application page with just a code parameter appended.
www.example.com/app.php?code=...
This also happens when the Facebook OAuth link is accessed from pages other than my application's URL (e.g. if I click the link from www.example.com/other_page.htm).
I am unsure what I am doing wrong here; the application URL (www.example.com/app.php) is approved on my app dashboard in as many places as I could find, and changing the request_uri parameter to any other URL results in an error page. I have also tried urlencode()ing my application URL before passing it in the request_uri parameter, but the result remains the same. I don't know what to try next as as far as I can tell I have followed Facebook's manual login guide as closely as possible.
We have an fb canvas made from .net mvc that works well via desktop but it doesn't work well in mobile app. We send request then if someone on fb mobile tap on request and opens up the web app, the signed_request returned is different than the desktop counterpart. The payload is missing and it seems shorter than the desktop's. I'm trying to read it as "code" and try getting auth token via https://graph.facebook.com/oauth/access_token?client_id=xxxx&code=[code]&redirect_uri=???. The problem with this is I don't know what the redirect_uri supplied or maybe it's not a code.
Can you guys help me with this or there's no other way but once they click request via mobile app we have them relogin in our web app to grab their fbuserid? And if there's another approach in handling mobile app requests.
Mobile Web URL and the signed_request
This is already outdated so maybe there's a solution already.
Thank you
I'll answer my own question. What you can do is add an extra authorization in your login flow when then access your canvas url via facebook mobile app. You send them to
https://graph.facebook.com/oauth/authorize?client_id=
passing the redirect uri and scope then grab the new generated "code" param and grab the aut token via graph api. Then you can access their facebook detail as you would normally. I've read answers like there's no signed request in mobile web and approach it differently without stating what that approach is. Hope someone can be helped by this answer.
Thanks
I can successfully send app requests by using method: 'apprequests' and the receiver gets the notification properly. I know the page to be shown when the user clicks on the request is the one you put as Canvas URL/Secure Canvas URL.
The thing is I had already set up an App Page for my app, so it makes a lot of sense to lead the user to this page when he/she accepts the request. But I cannot put my app url as Canvas URL because Facebook will not allow it (error: is invalid because it is a Facebook url).
In similar questions, many suggest a redirection but I wonder if there is a more direct/proper way.
I have created a facebook app on developers.facebook.com and specified a site url for my website. When users on my website login with facebook it redirects them back to the site url I specified (e.g. example.com) on the facebook app settings.
I also have a mobile web site which has facebook login but when users login from the mobile site (mobile.example.com) it still redirects to the main site (example.com).
How can I make facebook redirect to either example.com or mobile.example.com depending on where the facebook login request comes from?
Facebook allows you to pass a variable named state to the auth dialog. This value gets returned by Facebook on both success or failure.
The intent of the state variable is to prevent people from gaining access to your site with forged requests. However, you could add a string to the state variable unique to people coming from the mobile site. On your redirect page registered with your app, you just need to add code to examine the state variable and redirect the user if it has the "mobile" string in it.
I know there is a way to redirect the page using javascript in the iframe of the canvas application to an external url.But is there any other way so that user directly gets redirected to the external url as soon as they authorizes the application.
i know it is possible because a famous app klout in Facebook does it.http://apps.facebook.com/klout__/
redirects to
http://klout.com/ automatically as soon as the user
Remember i got an invitation request from my Facebook friend.when i clicked the invitation notification and when i authorized the application it redirected to a external url.Any idea how this has been done? And i think this wont be encouraged in Facebook policies either?
Facebook want to make sure that the servers it interacts with are of the same domain that is set up in the app settings.
In the klout example you gave what they did was to add an App Domain which is done in the app settings, but there's a limitation to what domains you can add there.
For example if your site url in the settings is set to "www.example.com" then you can add "examlpe.com" or "sub.example.com" to the app domains.
But if you try to add "www.example2.com" you'll get:
Error
example2.com must be derived from your Site URL or your Mobile Web
URL.
Edit
I'm sorry, I did not understand you correctly.
If you want to simply redirect the user to your url in the main window then you can use javascript like this:
top.location.href = "http://www.example.com";
What I was referring to before is the ability to have "www.example.com/" as the site url (in the settings) and still use "sub.example.com" with redirect_uri and such.
2nd Edit
Forgot to mention this:
In the Facebook Platform Policies it states that:
13 . The primary purpose of your Canvas or Page Tab app on Facebook must not be to simply redirect users out of the Facebook experience
and onto an external site
And so you should not redirect the users out of facebook.