I am using java and the purpose of my demo application is simple: Update user status.
I followed the Server-side Flow on page http://developers.facebook.com/docs/authentication. I got the auth dialog, facebook lead to the callback url and I got the code in my callback page. Then I failed when I try to generate an access token.
In the guide page, it says the following url could be used to generated an access token:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE
But what happens in my environment is I got the following error message:
{
"error": {
"type": "OAuthException",
"message": "Error validating verification code."
}
}
I am quite sure every parameter is correct because if I change the client_id value or client_secret parameter, I will got a different error message. The code parameter is what I got from facebook callback. So this should be correct, right? Really can't figure out what is the problem....
Any idea about this? I get stuck here...
I recently dealt with exactly this problem: everything matched, but it failed with the OAuthException. The thing that made it work was to change the redirect uri (in both requests for the flow) from:
http://foo.example.com
to
http://foo.example.com/
I.e., add the trailing slash. And then it worked. Stupid and silly, but there you go.
I had the same problem and tried the above suggestions. They helped, but in my case the problem was that my redir URL had a query parameter and Facebook wasn't cool with that. So, moral of the story is that the redir url you sent to exchange the token has to be identical the the original redir url and it can't have query parameters.
We had some fun with this as well.
In our case the trailing slash in the URL was already there, so I tried the Token we were using in the FB Debug Tool and it validated, so it looked like FB wasn't even seeing the Token in the request.
After some investigation I found the head-slapper - we doing a GET with HTTP Headers only not with a Querystring, so FB litterally wasn't seeing the Token at all.
The moral seems to be that if you can get the Token to validated in the FB Debug tool, there is likely /something/ amiss in your request -
It might be a missing "/" or some other mismatch with the App's defined URL (Domain mistmatch is a different error). I have not tried defining the App / Web Url for HTTPS and doing the request with HTTP but I suspect it would also hiccup somehow.
Or as in our case, the Request Method might be incorrect - GET with Headers or POSTing both throw the 2500, you have to do GET with a Querystring.
Hope that helps!
I had the same problem. It was a URL difference, but unlike the others that have posted, mine was the difference between HTTP and HTTPS.
We have BigIP handling HTTPS requests and forwarding over to an HTTP Apache server. When BaseFacebook's getCurrentUrl() function was called, it detected HTTP, and not the original HTTPS. I've modified that function like so:
protected function getCurrentUrl() {
if ((isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS'] == 'on' || $_SERVER['HTTPS'] == 1)) ||
(isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ||
(isset($_SERVER['HTTP_PSEUDOSSL']) && $_SERVER['HTTP_PSEUDOSSL'] == 'true')) {
$protocol = 'https://';
}
else {
$protocol = 'http://';
}
...
This version supports the HTTP_PSEUDOSSL key. I hope this helps someone.
Yes, the trailing slash worked for me too, thanks!
For debugging purposes, I found it helpful to use exactly the code fb provides on the developer page:
http://developers.facebook.com/docs/authentication/
Once you get that working, you can modify it to fit your own code.
I'm not sure, but you might also check to make sure your "Site URL" and "Site Domain" settings are correct on the App Edit screen, because according to the documentation, the redirect_uri must be in the same domain. (This is different from the canvas/tab page urls.)
I was also having a url problem, but the solution to it is different. I was passing the signedRequest that the JavaScript SDK returns to the server, and using the code value from that to request an access-token. However, according to some comments in the 3.1.1 version of the Facebook PHP SDK, the JavaScript SDK associates the code with a redirect_uri of empty string, i.e. "":
// the JS SDK puts a code in with the redirect_uri of ''
if (array_key_exists('code', $signed_request)) {
$code = $signed_request['code'];
$access_token = $this->getAccessTokenFromCode($code, '');
if ($access_token) {
// etc
}
}
After I changed my own server-side code to use a redirect_uri of "", then the request for an access-token worked.
in my case, my code wasn't working on IE.
The issue was in the following line
$user_id = $facebook->getUser();
if ($user_id)
Because somehow the getUser function always returned 0, so that condition was always true. Than he generated that error from invalid token.
Well, i fixed it by just saying this:
if ($user_id>0)
Silly stuff...
Related
I have created a class that generates a URL that authorized my users with Facebook. Here it is:
https://www.facebook.com/dialog/oauth?response_type=code&client_id=...&scope=email%2Cuser_about_me%2Cuser_friends%2Cuser_hometown%2Cuser_location%2Cuser_work_history%2Cuser_education_history%2Cpublish_actions&state=...&redirect_uri=http%3a%2f%2flocalhost%3a53016%2fsocial%2fcallback%3fvariables%3dY2FsbGJhY2tfdXJsOi9MYW5kaW5nO2ZhbGxiYWNrX3VybDovQ29uc3VsdGFudC9TaWduVXA7bWV0aG9kOjE7cHJvdmlkZXI6MQ%3d%3d
This URL works just fine and returns back to my callback function. I'm able to convert the base64 string to my variables that I pass along with my URL. The trouble that I am facing is that Facebook doesn't recognize the URL to give me the access_token. This the return URL that I send to Facebook for the access_token.
https://graph.facebook.com/oauth/access_token?client_id=...&client_secret=...&code=...&redirect_uri=http%3a%2f%2flocalhost%3a53016%2fsocial%2fcallback%3fvariables%3dY2FsbGJhY2tfdXJsOi9MYW5kaW5nO2ZhbGxiYWNrX3VybDovQ29uc3VsdGFudC9TaWduVXA7bWV0aG9kOjE7cHJvdmlkZXI6MQ%3d%3d
(I have cleared out the client_id and client_secret for obvious reasons.)
Can anyone notice what I am doing wrong here?
Perry thank you for your help. I was able to figure out what the problem was on my project. When I was encoding my parameters to Base64 I wasn't using the proper methods to convert it to String. This answer on stackoverflow helped me figure out what I was doing wrong.
C# Method like Base64String, but only alphanumeric (no plus or slash)
The answer in particular is from Mason G. Zhwiti. I was just doing Convert.Base64String instead of HttpServerUtility.UrlTokenEncode(byte[] b). After I did that I was able to get my response. I seemed that my URL had two equal symbols at the end. That was throwing off Facebooks URL validation. Once I did the appropriate method it started working.
I hope this helps anyone else who is struggling with this type of problem.
What is the specific error message - was it unauthorized redirect_uri?
I'm kind of oblivious to the variables - what are they for?
It doesn't seem like you should be doing the callback to a querystring URL, but maybe that's OK. When I first implemented OAuth2, I had the API calls originate from and callback to specific URLs for each provider, such as mysite.com/login-google.php or mysite.com/login-facebook.php, but now I have the callbacks point to the main site URL (mysite.com). Since we have index.php at the main site URL, we can intercept the callback in index.php and route them to the desired provider script (login-google.php or login-facebook.php) which cleans up the callback URLs and makes them a no-brainer for end-users to work with.
Your callback URL:
http://localhost:53016/social/callback?variables=Y2FsbGJhY2tfdXJsOi9MYW5kaW5nO2ZhbGxiYWNrX3VybDovQ29uc3VsdGFudC9TaWduVXA7bWV0aG9kOjE7cHJvdmlkZXI6MQ==
Can you access that callback URL in a browser? Code it up to throw an error or output a debug message so you know the callback URL is working.
I've documented the OAuth2 flow for Facebook quite cleanly in this code: https://github.com/perrybutler/WP-OAuth/blob/master/login-facebook.php
Hope it all helps...
So when using Facebook login, it turns out that if you set response_type to token or code%20token then the "response data is included as a URL fragment" on the URL that redirects to your app. Seriously, why? When would that ever be useful to anyone?
Anyway, I'm hoping that this is somehow security related and that it's there for a reason other than to annoy people, but I would otherwise like to know if there's a way to disable it, since I'm using Angular and it's a real pain to handle urls with hashbangs.
If I set a response_type of code only, the code is returned as a nice and clean query parameter, but I would like to receive both in order to perform additional validations. Is there a way to change this behaviour? Thanks.
EDIT:
Well it turns out that setting a response_type of code returns #/= at the end of the url, so there's no way to get a clean querystring. It has already been established that there is no way to change this behaviour, but I'm still interested in finding out why Facebook is doing it. Is it security related? What is the purpose of these url fragments?
Answers
To your first question, I imagine you would use token when you are handling everything in-browser and not processing at the server.
To your main question, as far as I know, you can not change how Facebook redirects successful authorizations. Facebook doesn't give you the token as a clean query parameter. If you use token or code token, what you want will be in the hash fragment. Sorry.
NOTE: This may not be a problem for you. I'm not sure what you want with "additional validations", but when you use code token, exchanging the resulting code gets you a different token than the one you just got embedded in the URI. Both are now valid and will expire separately. Really, you probably need either the code or the token; both won't help you since they're not linked.
Examples of using all three methods:
If you set response_type to code you get redirected to something like:
http://example.com/redirect_uri?state=thestatepassed&code=AQDN9E9GYjA8NbyCt
87_jV5vHnCQylNxmBswo6Z1BsrR7lmTPom6wjrzfan6P4GBLDt3EQrfPg0xSLoMLxBBfscsyfSY
JNM2vu9OoqEQXXSJCTUq_fMpUwqkYbCHp-GAqL4H1ymbMz7zPKAG61V9BtKTSuez39yhawOu7l-
6ww4thP41Ka9PVcknTQ6fPjPXKYSyxEmANps9zevCPFsXpBZCO7_dms65-ZZuG2wVBd16gFnBZH
q8EY0qih6-9o61wXh7bBvVPVSZ2im7Oj1nx47YgDpbD3X0XdlVhUoGYmBdER9hNmIC2PmmY7VAo
PlYCZc#_-_
From there, you need to exchange the code through Facebook's OAuth endpoint to receive an access token. The access token can then be used against the Facebook APIs.
If you set response_type to token you get redirected to something like:
http://example.com/redirect_uri#access_token=CAACYnSxGEhsBAJBg0ohZBhAf7pKEU
sm5ytZAZBzKjISFuRun2ZByZCqEsxrVIgtiO7iIlJZBBbGm6fRPQXItZCX6YgjPknUBsr78tJtv
W6fySULrUo9vdW57ZCMUUIlNaeZAcU8DzUXKmFpgotOyhE3jXYz1c3eu00Aii0AZBsPrtrwjpwQ
mV8VYQNiqKZBIsqOrIwZD&expires_in=4168&state=thestatepassed
You have everything you need to call the Facebook APIs. The access token returned is valid, but should probably be checked against Facebook's token inspection endpoint if you're doing something server-side. (Really, at that point, just use code. I've never done it this way, so good luck.)
As you noted, the access token is now contained within the hash fragment of the url.
If you set response_type to code token you get redirected to something like:
http://example.com/redirect_uri#code=AQAtzsjPivFPsJ538KFlPuhLaK6pDMlrGDiwmi
KDcpgNfWrO1EdX5i6zK_Op2D0QDEXZLyifXxh4TSeBZCWhnkl7YV1LMyEkbPURAWSoqRoeG7tfM
4nB4nDAHOK0H9umb0KnoypRT1pP05FJKhl2QjpCJrPPFDHl6y-1X9ZMj1uVHtmPNi4tG_6QAbuL
RaGadBkekb22uJ0iwSrWc9OKi6ET70lCTYb18hbwUkzHXtTq12nNEdsDJ7Ku2wEBwMygFwErYDX
CrnPoFoah_z0UPCfv3XZLy98Dhlzw_lnx8nnCB-PCppOWRqmydvQJehPd86k&access_token=C
AACYnSxGEhsBALXHRQwfm4UoauRlZBJDVpZCiM6ZCuM3bE965F5JVBfBB8inTFdhfJ5obnonSqa
m3v8FbWhHXrhRSx4ugwAmmDaWyxmPELWqSrkrDO5ueTUXhhjiEZBTd7HjCVCSOXXhOSo3DjEVSC
lOaZBfqmXsprYyc6LJC39sroCcHYCZCv&expires_in=5183426&state=thestatepassed
Now you have both an access token and a code (that expiration applies to the token, not the code). As stated earlier, that code can be exchanged for an access token in the usual way, but the returned access token will be different from the one you just got embedded in the URI.
But, again, what you care about is in the hash fragment.
See the AngularJS doc on $location for accessing the hash. Someone more knowledgable than me can speak to how that works with routes and how best to scrape the parameters.
Well today I had the same situation and managed to resolve it in a way I could get the access token from my server.
After getting the code using response_type=code I called via GET the following url:
https://graph.facebook.com/v3.2/oauth/access_token?app_id=MY_APP_ID&code=MY_CODE&client_id=MY_APP_ID&client_secret=MY_APP_SECRET&redirect_uri=YOUR_LOGIN_REDIRECT_URI
This route returns a JSON response, which has the access_token parameter, in this way:
{
"access_token": "ABAECAEFAEFAEA...",
"type": "bearer",
"expires_in": 838383838
}
So there you go :) I hope this works for you too
I'm trying to authenticate facebook users into a web-app i'm building without the javascript SDK, I'm following This guide. In the first step (where I'm supposed to send the appId along with the redirect_uri),
I have the redirect_uri set to "http%3A%2F%2Feduudle.com%2Fborhom2", it works as expected and sends the code parameter to the backend.
However, in the second step where I'm supposed to send the code along with the client_secret and the redirect_uri, I send the same redirect_uri and it doesn't work. I get the following message "Error validating verification code. Please make sure your redirect_uri is identical to the one you used in the OAuth dialog request"
I have tried the slash at the end, replacing the : with %3A and the / with %2F. I'm 100% sure that the redirect_uri is EXACTLY the same as the one I'm sending in the get request.
The only case where I'd be wrong is if I misunderstood what the redirect_uri is and how to change it from facebook. Try it yourself "http:// eduudle.com / borhom"
I'm 100% sure that the redirect_uri is EXACTLY the same as the one I'm sending in the get request.
Doesn’t look like that.
Clicking login on your sample page redirects me to
https://www.facebook.com/dialog/oauth?client_id=461627793920081&
redirect_uri=http://eduudle.com/borhom2&scope=…
whereas the Graph URL giving the error afterwards is like this,
https://graph.facebook.com/oauth/access_token?code=…&client_secret=…&
redirect_uri=http://eduudle.com/&client_id=461627793920081#_=_
So check your code for the part where that URL is generated and redirected to – I’m pretty sure its your mistake ;-(
There are many other question related to this, but they didn't help me fix my problem.
I'm using the Facebook server-side login for a website, which I want to test locally. The path that initiates the login action is [http://localhost:8080/fblogin] (this redirects to the Facebook login dialogue, and goes from there).
I can successfully get the code, but when I try to exchange that for an access token, I get the following error:
{"error":{"message":"Missing redirect_uri parameter.","type":"OAuthException","code":191}}
I am providing the redirect_uri, url encoded and it is the same as the one I use to get the first code. Here is the url I'm using to request the access token (with the all-caps query string parameters replaced with their actual values, of course):
https://graph.facebook.com/oauth/access_token?client_id=CLIENT_ID&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Ffblogin&client_secret=CLIENT_SECRET&code=CODE_FROM_FB
I suspect this might have to do with how my app is set up on Facebook. Here are the values I have set:
Display Name: (an actual display name here)
App Domains: localhost
Contact email: (an actual email here)
Site URL: [http://localhost:8080/fblogin]
What do I need to tweak in the settings to get this to work? Or does this look correct?
By the way, if it makes any difference, I am using the Play! framework, version 2.0.1
After digging around a little more, I found that it was necessary for me to use POST when sending the request from my server to get the access token.
Interesting that using POST worked for you as this didn't for me.
In any case, did you add the query parameters using setQueryParameter()? (see How to make multiple http requests in play 2?)
... but it is!
I am calling the facebook API with the following link in order to receive my access token:
https://www.facebook.com/dialog/oauth?client_id=myclientid&redirect_uri=http%3A%2F%2Fmydomain.org%3A8080%2FServer%2FFacebookAuthenticationVerificationServlet&scope=manage_notifications,offline_access,read_mailbox,read_stream,publish_stream
What am I doing wrong?
Facebook answers with the following error:
message: redirect_uri isn't an absolute URI. Check RFC 3986.
type: OAuthException
code: 191
It shouldn't have anything to do with it, but I am using java's URLEncode.encode() to encode the URL into UTF-8. I compared the result with that one from JavaScript's encodeURIComponent() and didn't find any difference.
EDIT: Do I have to set the domain into my configuration? I can't locate it on "App Domains" (because facebook doesn't allow me to add domains there with port configuration) but I set the domain as "URL of my website".
EDIT2: The unencoded redirect uri: http://mydomain.org:8080/Server/FacebookAuthenticationVerificationServlet
EDIT3: This has nothing to do with the :8080. I tested it with a php-script (URL was like bla.domain.org/myphp.php) and sent the code by the php script to the tomcat server, but the error persisted.
Okay, it turned out I misunderstood the OAuth protocol. I was fetching the authorizationCode that THEN leeds me to the accessToken.
But I wasn't able to fix that error in specific. I just redeveloped the procedure and implemented auth-code and access-token separation and it works fine now.
Maybe unauthorizating the app and reauthorizating it # facebook did fix it?
Error code 191 for Facebook is
API Error Code: 191
API Error Description: The specified URL is not owned by the application
Error Message: redirect_uri is not owned by the application.
Make sure mydomain.org is in the App Domains field, and that the Website with Facebook login field is correct.
You shouldn't encode redirect_uri. http%3A%2F%2Fmydomain.org is not understood as http://mydomain.org