My site allows users to login through facebook coonect. Do I need to support ssl on my site by Oct 1?
Will greatly appreciate your input.
Thanks,
cody
IF you conform to the following sentence, you must support SSL by Oct 1st:
an SSL Certificate is required for all Canvas and Page Tab apps
See https://developers.facebook.com/docs/oauth2-https-migration/ for more details.
It seems like if you are not using Canvas or Page Tab ON FB, then SSL won't be required on your site for FB Connect. You will have to make the api call to FB over SSL and must config your app to use OAuth 2 -- for the JS SDK that means setting oauth:true. See https://developers.facebook.com/docs/oauth2-https-migration/
Only on *.facebook.com are you required to use an SSL certificate. More specifically, you must specify a URL that begins with https:// for your canvas URL as of Oct. 1st. When https://apps.facebook.com/<YOUR_URL> or https://www.facebook.com/<YOUR_URL> loads your IFRAME, the IFRAME url must begin with https.
However, you do not need to support SSL on your website outside of Facebook. If you use Facebook for Websites, you need to make no change to that portion of your Facebook implementation.
The idea is that one day all traffic on facebook.com will be https by default, and they don't want mixed content warnings when https://*.facebook.com loads up your IFRAME url.
Related
I have a website that uses the Facebook Login feature successfully and it still works as we speak. But I want to use the same facebook app on another website using the same keys etc...
But for some reason, even though I have added the correct URI's into the OAuth part of the Facebook page, I still get:
URL blocked: This redirect failed because the redirect URI is not
white-listed in the app's client OAuth settings. Make sure that the
client and web OAuth logins are on and add all your app domains as
valid OAuth redirect URIs.
Does anyone have any ideas on where I can start to find out why Facebook isn't accepting these new urls?
Okay, it seems to be working now - perhaps was a timing issue which was wierd because it updated straight away on previous sites.
Thanks again for the help though WizKid!
The instructions from Janrain for social login provider setup conflict with the hint within the error message from the Facebook https response. Details follow.
Error screen when testing Facebook from Janrain; note that same error happens in any browser such as Firefox, Chrome if you test the sign-in widget.
Error Text from Facebook:
App domains must match the domain of the Facebook Web Games URL (https), Mobile Site URL, Unity Binary URL, Site URL or Secure Page Tab URL.
Please correct these domains: (snip).
Based on the hints from the Janrain Facebook Provider Setup wizard, I have set the website to the URL on rpxnow (i.e. definitely not my web site).
What URL(s) should then be entered into Basic and/or Advanced Settings such that Facebook can process the login? I have tried using the rpxnow URLs and my own web site URLs. Either of 2 things happens regardless of whether I include https:// or start from the subdomain of any combination of names. Either Facebook will not save the details on Basic App Domain and gives the above error, or Facebook will save the details but then gives the error in the first screenshot above.
I do not see how this can ever work because Facebook wants a match on the domain and rpxnow will never be the domain that I use to invoke the sign-in.
For completeness, I will show my Facebook settings, so it will be obvious that they do not match the current Janrain Setup Guide for Facebook.
Basic Settings
Is the Namespace relevant? Better to leave blank? Does it need to match something within Janrain?
Advanced Settings
I could believe that something has to be done to allow cross-domain access. Does anyone have this working with a new Janrain account (3 weeks old) and a new Facebook developer account (old Facebook account, new developer app)?
Replying as an answer so I can attach a picture.
I have a feeling this might be something to do with Facebook's impending changes to their app security (https://developers.facebook.com/blog/post/2017/12/18/strict-uri-matching/ ). It appears that you need to add the Valid OAuth redirect URI for any new API v2.11 apps now (not after March). We were already planning to address this before March but we will have to update sooner.
For your Facebook app you will have to set up the "Valid oAuth redirect URIs" similar to the following screen shot, just replace "pbjanraintest" with whatever your Engage app name is:
Sorry for all the trouble you have had. It's hard to keep up with these providers when the messaging doesn't align with what their apps and api's are actually doing.
I just received the same error this week. Leave off the https:// in the OAuth redirect URIs box.
This is not another question asking if I need to buy an SSL cert for my site to have a facebook login.
My question is, is it possible, when using facebook's login with OAuth2, to NOT redirect the user to https:// www. facebook.com?
My problem is this, I run a bunch of wireless hotspots and would like the users to login via facebook. The problem is that I need to give them access to https ://www. facebook.com/login.php ( and a bunch of other urls). however with HTTPS I cannot allow access to paths on websites if its an SSL site. So is the another domain name that can be used (like HTTPS :// login.facebook.com*) or a way to send them to HTTP ://www. facebook.com/login?
EDIT:
Just to make it more clear what I am trying to do.
Open your browser and go to http://www.facebook.com/login, facebook will then redirect you to HTTPS:// www. facebook.com/login. That is the problem. Is there anyway, using the php sdk to force HTTP & not HTTPS
You only need SSL for Canvas Apps (running on apps.facebook.com/yournamespace, "App on Facebook" in the developer settings) and Page Apps ("Page Tab" in the developer settings), but not for external Websites.
Just fill in the input field "Website with Facebook Login" in the developer settings with your external Website (http://www.yourdomain.com/whatever).
Where you redirect the user to is totally up to you. For example, you can create any JavaScript redirection in the callback function of FB.login:
https://developers.facebook.com/docs/reference/javascript/FB.login/
Facebook App page will get a SSL error when coming from secure hypertext protocol(https)) Facebook account to non secure(http) Facebook App Page, which happens due to lack of SSL Certificate in Facebook App hosted server. I am trying to change base url from httpsto http to avoid SSL error.
Is it possible to change base url from https to http from iframe?
Is it possible to change base url from https to http from iframe?
Even if it is, that’s no solution to your problem – because the iframe content will be pulled over HTTPS first, if the user is browsing Facebook over HTTPS – and since you app does not support HTTPS, this will fail already. So you will not even get to a point where code from your app will be loaded, let alone executed, in this scenario.
You’ll have to get an SSL certificate for your app domain.
My facebook application is redirecting to https can somebody help me i dont have ssl on my server and i want to keep the app on http, with https it generate the following error
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
Here is an article that gives a good run down on this, Hyper Arts Blog.
It appears that facebook is going to encourage secure browsing and the only way to avoid end user warnings is to set yourself up with a secure site.
You have setup your facebook app to have a secure canvas. Try removing it.
Also, your own personal facebook settings probably have https usage enabled... https://www.facebook.com/blog.php?post=486790652130... Try unchecking that settings.
If you don't provide a secure canvas the user's (who has requested facebook use https when possible) browsers is supposed to ask the user if they can go to the unsecured site... but we are talking facebook here so expect the unexpected.