I am trying to develop a Facebook desktop app that runs on a browser (but not on a webserver). So strictly speaking, I am running a standalone webpage that is not in any domain. I am in need to find a suitable login solution for this.
Currently, Facebook authentication has to be redirected to another URI - the problem for me is that I am unable to get the access token from this redirected page (dialog/poup) because of cross-domain access issues. Is there a way across it?
Also, since I am running the page on a filepath (c:/wamp/www/facebook.html) rather than on a webserver, the "auth.login" events are not fired after authentication is done in the dialog. Is this expected behaviour as well?
Any help would be appreciated. Thanks!
Read up on FB Auth: http://developers.facebook.com/docs/authentication/
If your app is able to read iframe URLs (such as an AIR based app) then you can rely on using the Desktop App Auth Flow and reading the credentials from the response URL that Facebook hosts: https://www.facebook.com/connect/login_success.html#access_token=...
Use local web server and server it from http://localhost... There is planty of lightweight one for Windows (Abyss) as well as Unix (thttpd).
EDIT: It seems it is not possible using file:// urls. I tried this page:
<html>
<head>
<script>
function fbLogin() {
if (window.location.hash) {
alert("Access token is: "+window.location.hash);
} else {
window.location.href = "https://www.facebook.com/dialog/oauth?"
+ "client_id=54715426813&redirect_uri=file:///D:/Herby/Desktop/page.html&response_type=token";
}
}
</script>
</head>
<body onLoad="fbLogin();">
</body>
</html>
and oath dialog said
API Error Code: 191
API Error Description: The specified URL is not owned by the application
Error Message: Invalid redirect_uri: Given URL is not permitted by the application configuration.
which means, you must fill in the file:/// type url in you app config. I tried that, but it said me the protocol used must be http or https. So, bye-bye to facebook on file://
The only possibility for true desktop apps is to include web control that uses true http urls and somehow (through tiny embedded server or by some kind of hook and mocking) is able to use such an URL (or, as was pointed in other answer, you can use no redirection url and get redirected to default facebook result page). But that is not something you can do in a browser only.
Related
I'm using Socialite plugin for login with facebook.
When I create application on facebook and when I put this callback url http://localhost:8080/code/example/public/facebook-login-callback
error
If you wish to change your callback URL your new URL must use SSL and start with https.
Any ideas?
Check App Domain and Site URL value in your facebook app. May be this is your solution.
The error message is quite straight forward there: Your callback URL needs to use SSL (means (amongst other things): it must start with "https").
There are many other question related to this, but they didn't help me fix my problem.
I'm using the Facebook server-side login for a website, which I want to test locally. The path that initiates the login action is [http://localhost:8080/fblogin] (this redirects to the Facebook login dialogue, and goes from there).
I can successfully get the code, but when I try to exchange that for an access token, I get the following error:
{"error":{"message":"Missing redirect_uri parameter.","type":"OAuthException","code":191}}
I am providing the redirect_uri, url encoded and it is the same as the one I use to get the first code. Here is the url I'm using to request the access token (with the all-caps query string parameters replaced with their actual values, of course):
https://graph.facebook.com/oauth/access_token?client_id=CLIENT_ID&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Ffblogin&client_secret=CLIENT_SECRET&code=CODE_FROM_FB
I suspect this might have to do with how my app is set up on Facebook. Here are the values I have set:
Display Name: (an actual display name here)
App Domains: localhost
Contact email: (an actual email here)
Site URL: [http://localhost:8080/fblogin]
What do I need to tweak in the settings to get this to work? Or does this look correct?
By the way, if it makes any difference, I am using the Play! framework, version 2.0.1
After digging around a little more, I found that it was necessary for me to use POST when sending the request from my server to get the access token.
Interesting that using POST worked for you as this didn't for me.
In any case, did you add the query parameters using setQueryParameter()? (see How to make multiple http requests in play 2?)
I have a Facebook app which gets loaded from my server as an iframe inside a facebook fanpage.
I use the javascript sdk to handle the facebook authentication.
When I access the fanpage in IE through http, then the console shows the following https security error:
SEC7111: HTTPS security is compromised by http://static.ak.facebook.com/connect/xd_arbiter.php?version=18
which causes the user to see the 'insecure content' warning.
I understand it has to do with the way IE handles the cross-domain iframe loading.
More details:
Happens when FB.init is called (xd_arbiter.php is requested by the fb sdk when FB.init is called)
Happens only in IE (specifically IE 9). No security warnings in Chrome or FF.
Happens only when facebook is loaded through http, not https. I would have thought it would be the other way around...so facebook must be loading something over https even though the fanpage is loaded over http.
What I've tried:
Setting FB._https = true before calling init. (does not work, deprecated)
Made sure the sdk is loaded through https (in channel.html).
Made sure all requests I do to my server is through https.
Here is my call to init:
FB.init({
appId : '{$appid}',
status : true,
cookie : false,
xfbml : true,
oauth : true,
channelUrl : '//my_url.com/channel.html'
});
And the content of channel.html:
<script src="//connect.facebook.net/en_US/all.js"></script>
So how can I force the sdk to load the xd_arbiter.php over https so the warning goes away?
I understand the sdk is constantly evolving, but I first want to make sure I'm not doing something wrong.
Thanks
I suggest you have all your assets on the same protocol, either HTTP, or HTTPS.
Then for remote requests, have you considered creating a PHP endpoints on your server, so your AJAX requests can, instead of calling cross domain URLs, call your PHP script, which is on the same domain, and then get PHP curl to do the cross domain stuff?
I'm trying to pass some variables to my facebook app from the url, i.e. using GET variable app_data like facebook wants.
At some point I've stopped getting the ['signed_request'] part of the $_REQUEST. When I print_r($_REQUEST) I'm getting: ['doc'], ['user'], ['__utmz'], ['__utma'] and ['session'] values, but not signed request :(
Any ideas of why this might be happening?
Check the tab/canvas url is EXACTLY the same as required. If there is a redirect to another page, then signed request and other values will not be sent. You can check using a browser sniffer, if a call to the page responds with a 300 (301/302 etc) redirect, then you need to change to what it redirects to.
Examples:
https://example.com/ may need to be https://www.example.com/ (add www., or remove www. depending on how server is set up)
www.example.com/ may need to be www.example.com/index.php (add index.php, or the right page).
Check you are using http:// and https:// correctly in the URLs, and that https:// returns a valid page.
I've only been able to get the signed request in https://, i get no request at all in http.
Currently have a bug on FB, but no word on fixing it yet; http://developers.facebook.com/bugs/264505123580318?browse=search_4eb3ef23eb18d6649415729
EDIT:
http://SITE.com was redirecting to http://www.SITE.com, so I was loosing the request variables.
Had a similar issue, for me it was as simple as a mismatch of the app id and app secret! However in facebook developers backend I have noticed that the URLs all need to have that trailing slash!
Some browsers do redirect your request to https automatically if you have been on this particular site on https so if you are in http mode on facebook there is situation:
facebook requests http version of your app, browser redirect this request of facebook to https and POST data and thus signer_request are gone in this process...
i see this problem in chrome 23, if you delete browsin data (particulary Deauthorize content licenses) app should run back on http
I need to include some secure (BASIC authentication) application.
when I open the application URL in the browser, the browser asks me to enter your credentials ...
what I know is that:
The browser ask the server to get
some URL -- the url of the app
The server checks the request header
for the Authentication header and
didn't find it
The server sends 401 to the
browser back
The browser interpret this response
code into a message dialog that
shows to me asking me to enter the
username/password to send back to
the server in the Authentication
request header
So far... so good, I can write some page (in JSP) that send this required http request header to the request that is calling this page..
So I'll call this application through my page..
The problem here is, this application (in fact a GWT application) contains a reference to some Javascript and CSS files that is coming from the server that hosts this application. the application page that I import looks like:
<html>
<link href="http://application_host/cssfile.css" />
<link href="http://application_host/javascriptfile.js" />
.....
</html>
So, again I found the application asks me for the authentication crenditals for the css and js files!
I am thinking of many solutions but don't know the applicability of each
One solution is to ask the browser
(via Javascript) to send the request
header (Authentication) when he
asks the server for the js and css
files
please give me your opinions about that... and any other suggestions will be very welcomed.
Thanks.
I think you're running into some weirdness with how your server is configured. Authentication happens in context of a authentication realm. Your assets should either be in the same authentication realm as your page, or (more likely) should not require authentication at all. The browser should be caching credentials for the given realm, and not prompt for them again.
See the protocol example on http://en.wikipedia.org/wiki/Basic_access_authentication
Judging from your story, something tells me your problem is with the authentication method itsef. Not how to implement it. Why do you want to bother with the request header so much?
As far as i know, you can configure your container (ie Tomcat) to force http authentication for certain urls. Your container will make sure that authentication has taken place. No need to set http headers yourself whatsoever.
Perhaps you can explain a bit better what you are trying to achieve, instead of telling implementation details?
Why css & js files are kept in protected area of server? You need to place files into public area of your server. If you don't have public area, so you nead to prpvide for it. how to do it depends from serverside software architecture & configuration.