Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Facebook Login HTTPS redirect uri

See original GitHub issue

Facebook is recommending that I use a HTTPS redirect URL, instead of HTTP. I’ve been trying to find a way to configure it to generate a HTTPS URL, at the moment it’s generating a HTTPs URL.

https://www.facebook.com/v2.8/dialog/oauth?response_type=code&client_id=255162614498922&redirect_uri=http://example.com/signin-facebook&scope=&state=-x4AVtFysadfadsfsadROH6E1QJ82gv4e4j48s32K5xbmqlF-JFbE5Y2Tx_MAdSquCP6CjZjic8Ye6gwasdfdfask3PXWkyxS42Ajpks9IuumDOl6CUJsadfafsasfdasdfbfpEFUDyxJUR3fARlWc83Lysadffdsdaffsdafasdsdafx_ziTnttz

Currently it is generating: http://example.com/signin-facebook for the redirect_uri, but I’d like a HTTPS URL to redirect the user to.

Is there a way to configure it to generate a HTTPS URL?

This relates to packages Microsoft.Owin.Security and Microsoft.Owin.Security.Facebook.

Currently my OwinStart looks like this:

public class OwinStart
{
    public void Configuration(IAppBuilder app)
    {
            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Welcome")
            });

            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            // Configure Facebook authentication
            app.UseFacebookAuthentication(new FacebookAuthenticationOptions
            {
                AppId = ConfigurationManager.AppSettings["FacebookAppId"],
                AppSecret = ConfigurationManager.AppSettings["FacebookAppSecret"]
            });
    }
}

Also, there doesn’t appear to be a way of Forcing HTTP within the FacebookAuthenticationOptions class or from the Challenge() method that instigates the redirect to Facebook:

internal class ChallengeResult : HttpUnauthorizedResult
{
    // TODO: Specify an XsrfKey?
    private const string XsrfKey = "SomethingHere";

    public ChallengeResult(string provider, string redirectUri)
        : this(provider, redirectUri, null)
    {
    }

    public ChallengeResult(string provider, string redirectUri, string userId)
    {
        this.LoginProvider = provider;
        this.RedirectUri = redirectUri;
        this.UserId = userId;
    }

    public string LoginProvider { get; set; }
    public string RedirectUri { get; set; }
    public string UserId { get; set; }

    public override void ExecuteResult(ControllerContext context)
    {
        var properties = new AuthenticationProperties { RedirectUri = this.RedirectUri };

        if (this.UserId != null)
        {
            properties.Dictionary[XsrfKey] = this.UserId;
        }

        context.HttpContext.GetOwinContext().Authentication.Challenge(properties, this.LoginProvider);
    }
}

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:1
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

5reactions
Tratchercommented, Feb 14, 2018

No, you should keep the https redirect. To get FacebookAuth to generate the correct urls you should do read x-forwarded-scheme and set the request scheme. E.g.

app.Use((context, next) =>
{
  if (context.Request.Headers["x-forwarded-proto"] == "https")
  {
    context.Request.Scheme = "https";
  }
  return next();
});
// Use Cookies
// Use Facebook
0reactions
EdSFcommented, May 2, 2019

A key item in the above is that it is necessary do this if your application offloads SSL (to SSL concentrator/load balancer, etc) as stated in the SO answer

  • The traffic between end user to your site is SSL (hits SSL concentrator/load balancer)
  • The traffic between SSL concentrator/lb and your application is http
  • therefore your application’s context is http

So your app must force it’s context to https without doing things like HttpRequest.IsSecureConnection or similar - that will never be true and results in a redirect loop.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Where does one set the Oauth Redirect URI for Facebook ...
Then under "Client OAuth Settings" enter the URL in the "Valid OAuth redirect URIs" box. Share.
Read more >
Strict URI Matching - Meta for Developers - Facebook
All redirect URI's used by an app need to be listed in the Valid OAuth redirect URIs list in the app's Login Settings...
Read more >
Manually Build a Login Flow - Facebook Login - Documentation
Invoking the Login Dialog and Setting the Redirect URL. Your app must initiate a redirect to an endpoint which will display the login...
Read more >
Requiring HTTPS for Facebook Login - Meta for Developers
Any insecure redirect URIs or pages making Login or API calls with the JavaScript SDK from HTTP pages will stop working after that...
Read more >
General Support - Social Login - Facebook - CreativeMinds
1. Create a Facebook developer account on https://developers.facebook.com/ · 2. Create a Facebook App · 3. Add Facebook Login · 4. Enter the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Support AuthenticationOptions modification per request

Next page

BootstrapContext is NULL after TokenValidationParameters is shifted to Microsoft.IdentityModel.Tokens