Initial setup:
My app uses facebook oauth system and has 3 different environments: production, testing and development. I've already listed all 3 valid redirect urls in facebook app's advanced settings (like people do here and here):
Valid OAuth redirect URIs:
http://myapp-pro.herokuapp.com,
http://myapp-tst.herokuapp.com,
http://myapp-dev.herokuapp.com
Additionally, on basic settings the app has:
App domains: myapp-pro.herokuapp.com
Site URL: http://myapp-pro.herokuapp.com
What happens so far:
When using production environment, everything's ok.
When on testing or development (both are not located in
App domains
orSite URL
):a. When the user logs in to my site and he's already logged in to facebook, everything goes fine.
b. When the user logs in to my site, but he isn't already logged in to facebook, facebook complains that:
Given URL is not allowed by the Application configuration One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains.
More details about the latter case:
Current URL in browser at that moment is (not exactly, I've decoded
next
andcancel_url
parts for clarity):https://www.facebook.com/login.php? skip_api_login=1& api_key=...& signed_next=1& next=https://www.facebook.com/v2.0/dialog/oauth? redirect_uri=http://myapp-dev.herokuapp.com? scope=public_profile& email& user_birthday& response_type=code& client_id=...& ret=login& cancel_url=http://myapp-dev.herokuapp.com? error=access_denied& error_code=200& error_description=Permissions+error& error_reason=user_denied#_=_& display=page
As you may have noticed the
redirect_uri
andcancel_url
domains are totally equal and this value (http://myapp-dev.herokuapp.com
) exists in the list ofValid OAuth redirect URIs
.If I manually change here
cancel_url
to production domain, facebook's error will disappear.If I manually remove
cancel_url
parameter completely, the error will vanish also.If I just ignore the message, enter my credentials and press login button, I will be redirected to
https://www.facebook.com/login.php?login_attempt=1
and nothing else happens.
Thoughts:
It seems like facebook simply doesn't check
cancel_url
to exist in the list ofValid OAuth redirect URIs
.Already mentioned manual hacks are obviously not acceptable for a regular user, so I call for another ideas.
Using different facebook apps corresponding to different environments is also not a good idea ideologically, imho.
Workarounds:
- As @CBRoe mentioned in comments: tried to use an own top level domain instead of
herokuapp.com
(used it asApp domains
andSite URL
value) and it worked. This does not solve the initial question, but is a good workaround.
It appears that facebook app domains can be on a subdomain - facebook doesn't check it exists, it just looks for the top level domain, this allows us to setup a fake sub domain. And allow us to host our local dev environment on the fake sub domain.
This won't work if you or your client doesn't have a live top level domain though.
Edit your hosts file /etc/hosts on mac and /windows/system32/drivers/etc/hosts on windows
192.168.10.10 dev.theclientsdomain.com
Then put dev.theclientsdomain.com into the app domain.
hope that helps.