This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Play Framework appending #= to redirect after Facebook auth via OAuth2?
Has anyone else seen this happen?
I am building a Facebook canvas app using the Facebook PHP SDK, and some Javascript.
Now when I take the user through the OAuth authentication flow, I have noticed that the URL in the browser automatically gets appended with this "#_=_" , so my URL starts looking like this:
http://apps.facebook.com/xxxxxxxxxxxx/#_=_
and when I redirect to the app profile page the URL is this:
http://www.facebook.com/apps/application.php?id=xxxxxxxxxxxx#_=_
I am redirecting using
echo "<script type='text/javascript'>top.location.href='$appcanvasurl';</script>"
to the canvas URL, and
echo "<script type='text/javascript'>top.location.href='$appprofurl';</script>"
for app profile page.
So why is this #_=_ getting appended?
Update:
According to this bug on the tracker, this is by design, and giving a value for the redirect_uri does not change this.
And according to the official facebook reply on that page (have to be logged in to Facebook to view the post):
This has been marked as 'by design' because it prevents a potential security vulnerability.
Some browsers will append the hash fragment from a URL to the end of a new URL to which they have been redirected (if that new URL does not itself have a hash fragment).
For example if example1.com returns a redirect to example2.com, then a browser going to example1.com#abc will go to example2.com#abc, and the hash fragment content from example1.com would be accessible to a script on example2.com.
Since it is possible to have one auth flow redirect to another, it would be possible to have sensitive auth data from one app accessible to another.
This is mitigated by appending a new hash fragment to the redirect URL to prevent this browser behavior.
If the aesthetics, or client-side behavior, of the resulting URL are of concern, it would be possible to use window.location.hash (or even a server-side redirect of your own) to remove the offending characters.
See This:
https://developers.facebook.com/blog/post/552/
Change in Session Redirect Behavior
This week, we started adding a fragment #_=_ to the redirect_uri
when this field is left blank. Please ensure that your app can handle
this behavior.
Related
This question already has an answer here:
Facebook App with wildcard OAuth redirect URL
(1 answer)
Closed 1 year ago.
I want to be able to Facebook login on different subdomains:
(ex: www.123.mywebsite.com, www.456.mywebsite.com)
Is there a way to achieve this? Instead of manually adding them one by one... Like a wildcard perhaps? (ex: www.*.mywebsite.com)
I've read some posts that suggested to make sure the "App Domain" field is set to ex: "mywebsite.com" and the "Site URL" field is to ex: "http://mywebsite.com", while leaving the "Valid OAuth redirect URIs" empty. THIS POST was from 2016... And it used to work
But nowadays it's not possible anymore to leave the "Valid OAuth redirect URIs" blank. It needs at least one..
On top of that, they added a "Strict Mode"
Thanks in advance
Two options:
Send the subdomain in the state parameter. Have one domain that handles all the redirects from Facebook and redirects to the appropriate subdomain by the state parameter returning from Facebook.
Use the SDK. it uses post message instead of redirect. (recommended)
I have a web site already integrated with Facebook login, using server-side authentication.
I have an issue to turn it into an application running under Facebook.
The problem is that Facebook does not show the authentication page at all
Therefore, I am not even getting to the server authentication process for real.
Right now, the application is running on my local machine.
My app is defined as Facebook Application: (adding blank before localhost for site security purpose only)
Canvas URL: http ://localhost:4300/fbopt/
Secure canvas URL: https ://localhost:4303/fbopt/"
[same problem happens when running in a Sandbox, without Secure URL]
I have a "fan page" with "Go to App" button there.
Pressing a button leads me to the URL:
https://apps.facebook.com/[appid]/?fb_source=timeline
The browser starts loading the page with the frames.
The lower frames makes the POST request to the URL I provided.
My application redirects the page to the following URL:
https://www.facebook.com/dialog/oauth?client_id=[appid]&redirect_uri=https://localhost:4303/fbopt/hook&scope=email,user_location,user_birthday
I would expect Facebook to show up the application authentication form, with the permissions required.
Unfortunately, this does not happen. An empty page is shown within the frame, HTML is empty!
I see (from the Chrome network debugger) that the URL is indeed accessed, but the response is with HTTP 200 status (not error), but no response data. Instead, getting
X-Frame-Options: DENY
response header - rendering denied within frame! Why?
When loading the URL above "manually" outside the Facebook frames structure, I do get the authentication screen with the right permissions.
I wonder what is missing to get it work with canvas.
Any hint on what I should add, or how to debug such a problem - will be appreciated.
Thanks ,
Max
Looks like me fundamental problem was that I was trying to redirect the whole page, instead of making a frame redirection.
Started here:
Blank Canvas => 'Refused to display document because display forbidden by X-Frame-Options.'
Went here:
https://developers.facebook.com/docs/howtos/login/login-for-canvas/
It says:
Because your application is being loaded in an iframe, returning a 302 to redirect the user to the Login Dialog will be unsuccessful. Instead you must redirect by setting the Javascript window.top.location property, which causes the parent window to redirect to the Login Dialog URL
This was probably my major mistake.
Max
Do you have iframe in your app? Sending X-Frame-Options with content DENY is Facebook's way to fight with clickjacking. More info:
http://darklaunch.com/2010/11/09/facebook-s-anti-clickjacking-techniques
adding an iframe to facebook does not work anymore since ~2 weeks
I've had the same issue. 302 Redirect works because I use a lot of those but you cannot redirect to a facebook domain for any reason. If you want you can do a top redirect via javascript. What I did is I created an html that accepts a url and it loads it in top.location then redirects back to apps.facebook.com. With X-frame most probably because you have a AntiForgeryToken (if using .net) because this would insert xframe sameorigin in the header. You can disable this with
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
I have a facebook page tab iframe and would like to access the browser url in order to get the current facebook page url.
I know it's not possible to use a javascript that interacts with the parent frame because of browser security issues.
An approach that didn't work for all browsers was to read the HTTP_REFERER header from the request.
Is there a better way?
I hope this is impossible at all. Otherwise it will be a security issue, likely to be closed.
You should not write code depending on compromising other users.
It is not possible to get URL of a parent Frame due to cross-domain policy. And there is no way to get the information about page your application running on in client-side.
But on the server-side you can reconstruct the Page URL using details passed in signed_request. For Page Tab Applications it contains page:
A JSON object containing the page id string, the liked boolean (set to true if the user has liked the page, false if not) and the admin boolean (set to true if the user is an admin of the page, false if they're not).
Using that page id you can build the Page URL:
http://www.facebook.com/pages/-/PAGE_ID
If you want the link to your Page Tab with your application use:
http://www.facebook.com/pages/-/PAGE_ID?v=app_APPLICATION_ID
Beware, HTTP_REFERRER is provided by client and cannot be trusted, and it's may be cut by plugin/proxy/etc...
Notes:
Pages may have different URL in real life, but using this technique user will be landing the correct Page since Facebook will issue redirect to correct URL of a Page.
Sample URLs use HTTP scheme, feel free to use HTTPS if you need it.
In PHP for example you can detect the current scheme like this:
$scheme = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS']!=="off") ||
(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
$_SERVER['HTTP_X_FORWARDED_PROTO']=="https")
) ? 'https' : 'http';
HTTP_REFERRER might not work as expected in my experience. If the tab app is designed for a specific page (which I suppose it kind of should), have you tried recreating it?
https://www.facebook.com/MYPAGENAME/app_MYAPPID
Where MYPAGENAME is your page name and MYAPPID is the app id, of course.
If the tab is applied to multiple pages though, I'm quite sure you'll get the relevant data to apply the above from https://graph.facebook.com/PAGEID, where PAGEID is the ID of the page which you get from the signed request.
We're hosting a PHP facebook canvas application (http://apps.facebook.com/myapp). One of the pages (http://apps.facebook.com/myapp/foobar) requires authentication from facebook so we can access some information about the user. This is achieved by using the PHP-SDK's $facebook->getLoginUrl() method to generate the url for authentication and works as expected.
We have since added the app to as a Tab (iFrame) to our Page (http://www.facebook.com/MyPage?sk=app_nnnnn). Now when we try to authenticate the user they are redirected to the app's url (http://apps.facebook.com/myapp/foobar) rather than having the /foobar page load in the Tab's iFrame as expected.
Is it possible to set the auth so that it doesn't bounce to the app's url but stays within the Tab using the PHP-SDK? If so, what is the workflow I should follow to achieve this?
I would simply add code to http://apps.facebook.com/myapp/foobar to check for authentication, and if it is, echo:
<script type="text/javascript">
top.location.href = 'http://www.facebook.com/MyPage?sk=whatever';
</script>
That should break out of the iframe and redirect you to where you want to go.
The way I have achieved this is to do the following:
On the /myapp/foobar page I check to see whether the user has been authenticated. If they haven't I set a session value and use the PHP-SDK's $facebook->getLoginUrl() to generate the auth url and send a response back containing just the javascript to redirect window.top.
Once they've authenticated they're redirected back to the main page. When this page loads it checks for the session value and, if set, removes it and issues a redirect header to /myapp/foobar.
It's a little convoluted but seems to be quite a stable solution.
I'm using the Facebook connect login API for desktop apps presented here:
http://wiki.developers.facebook.com/index.php/Authorization_and_Authentication_for_Desktop_Applications
I'm finding that the parameters I pass arent working correctly. Here's an example of the URL I use for the site:
http://www.facebook.com/login.php?api_key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&connect_display=popup&v=1.0&next=http://www.facebook.com/connect/login_success.html&cancel_url=http://www.facebook.com&fbconnect=true&return_session=true&req_perms=publish_stream
If the user logs in correctly, they are redirected to
http://www.facebook.com/
instead of the value in the next parameter. This is particularly frustrating since the url of the site they were redirected to is supposed to contain login information.
Amazingly, the cancel_ url parameter works fine and sends the user to the correct target (I tried multiple cancel_url values inside of the facebook.com domain and they worked). Anybody dealt with this?
Is the API Key valid? Is your callback url set correctly in the application ? the next parameter is seeming to be ignored on non Internet Explorer Browsers.
Actually the next parameter was messing up the code in IE, so i removed the next parameter. What I did is storing the redirect back url in session and used a file to handle all facebook logins in all my domains.
http://digitalpbk.blogspot.com/2009/08/facebook-auth-next-parameter-ie.html