Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can't get Facebook Strict Mode to work

See original GitHub issue

I’ve got the following message in my Facebook Dev console: screen shot 2018-01-15 at 23 31 51

According to the information here https://developers.facebook.com/docs/facebook-login/security/#strict_mode strict mode is based on the exact redirect URL match. Unfortunately, I don’t think social-app-django uses this approach by default, because I can see several dynamic parameters in redirect URLs when I’m signing in with FacebookOAuth2 backend. Is anybody else experiencing the same problem?

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:18

github_iconTop GitHub Comments

4reactions
zxwildcommented, Mar 14, 2018

facebook wrote in the documentation

For apps with dynamic redirect URIs, use the state parameter to pass back the dynamic information to a limited number of redirect URIs. Then add each of the limited redirect URIs to the Valid OAuth redirect URIs list. https://developers.facebook.com/docs/facebook-login/security/#strict_mode

In class FacebookOAuth2(BaseOAuth2) (version 1.5) we have unset REDIRECT_STATE attribute, which overridden as True which cause redirect_state parameter in facebook complete url.

1.7 is updated and now parameter is set by default: REDIRECT_STATE = False

Actually it’s required to have a feature to rename this attribute in settings like: SOCIAL_AUTH_FACEBOOK_REDIRECT_STATE_FIELD = 'state'

In my case allowed url was https://<domain>/complete/facebook/ without additional parameters

Overall, you can implement a custom FacebookOAuth2 with only REDIRECT_STATE = False as @merutak mentioned (for old versions).

Or to update to the last version, other possible errors: missing web server https config + django configuration, this case a redirect url will be composed with http which will not pass a check.

nginx proxy_set_header X-Forwarded-Protocol $scheme;

django settings SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

4reactions
rzinurovcommented, Feb 9, 2018

Here is how I setup facebook auth in my settings file:

AUTHENTICATION_BACKENDS = (
    ...
    'social_core.backends.facebook.FacebookOAuth2',
    ...
)

SOCIAL_AUTH_FACEBOOK_KEY = '<key>'
SOCIAL_AUTH_FACEBOOK_SECRET = '<secret>'
SOCIAL_AUTH_FACEBOOK_SCOPE = ['email']
SOCIAL_AUTH_FACEBOOK_PROFILE_EXTRA_PARAMS = {
    'fields': 'id,name,email',
}
SOCIAL_AUTH_FACEBOOK_API_VERSION = '2.11'

SOCIAL_AUTH_LOGIN_REDIRECT_URL = '/'
SOCIAL_AUTH_LOGIN_ERROR_URL = '/'
SOCIAL_AUTH_BACKEND_ERROR_URL = '/'

Facebook login URL: https://<domain>/login/facebook/?next=/
which redirects you to https://www.facebook.com/v2.11/dialog/oauth?scope=email&state=<state>&redirect_uri=https://<domain>/complete/facebook/&client_id=<client_id>&return_scopes=true
which redirects you to https://<domain>/complete/facebook/?granted_scopes=email%2Cpublic_profile&denied_scopes&code=<code>&state=<state>

Valid OAuth redirect uri in Facebook dev console app settings:

https://<domain>/complete/facebook/&client_id=<client_id>&return_scopes=true

The URL in Facebook dev console must match redirect_uri parameter of the https://www.facebook.com/v2.11/dialog/oauth... URL.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to turn off "Use Strict Mode for Redirect URIs" in facebook ...
Is there any way to turn off the option Use Strict Mode for Redirect URIs in a Facebook app?
Read more >
Strict URI Matching - Meta for Developers - Facebook
In response to malicious activity we were seeing on our platform, we recently create a new security option called "Strict Mode" which, when...
Read more >
How to fix Facebook apps “Error: Can't Load URL
Strict mode means that when using Facebook login to connect your application or website to the App, the oAuth redirect URL has to...
Read more >
Facebook login with new Strict mode URL requirements will ...
Facebook has announced that in March, they will require Facebook login apps to provide exact URL's of the redirect URL's:
Read more >
Login error after Facebook enabled by default Use Strict Mode ...
Hello guys, It look s like facebook login does't work after they've turned on Use Strict Mode for Redirect URIs. Anybody with the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Can't Load URL with Strict Mode for Redirect URIs in FB

Next page

Allow For Configuration of Redirect URI