Getting Facebook callback error even after enabling 'Embedded browser OAuth Login' and specifying the callback url

4.6k views Asked by At

I have a rails(4.2.0) application that uses Facebook login functionality. The main gems are devise(3.4.0) and omniauth-facebook(2.0.0). I have registered the application on Facebook and have been using its test app for development. The Facebook login functionality works in the development env.

When trying to use the facebook login feature on the production server, I get error as "Given URL is not allowed by the Application configuration: One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains."

The details for settings for test app being used in the dev env are as -

Settings:
  Basic:
    App Domains: 'localhost'
    Website:
      Site URL: 'http://localhost:3000'
  Advanced:
    OAuth Settings:
      Embedded browser OAuth Login: Yes
      Valid OAuth redirect URIs: "http://localhost:3000/users/auth/facebook/callback"

The details for settings for registered app being used in the production env are as -

Settings:
  Basic:
    App Domains: 'www.mysite.co'
    Website:
      Site URL: 'http://www.mysite.co'
  Advanced:
    OAuth Settings:
      Embedded browser OAuth Login: Yes
      Valid OAuth redirect URIs: "http://www.mysite.co/users/auth/facebook/callback"

I have specified the following in my secrets.yml

development:
  secret_key_base: some_secret_key 
  facebook:
    app_id: test_app_id
    app_secret: test_app_secret
production:
  secret_key_base: some_secret_key 
  facebook:
    app_id: registered_app_id
    app_secret: registered_app_secret

And have been using the creds from secrets.yml in the devise initialiser as

# ==> OmniAuth
# Add a new OmniAuth provider. Check the wiki for more information on setting
# up on your models and hooks.
# config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
require 'omniauth-facebook'
config.omniauth :facebook, Rails.application.secrets.facebook['app_id'], Rails.application.secrets.facebook['app_secret'], scope: ['user_photos', 'email', 'public_profile']

basic settings for test app callback url for test app basic settings for app callback url for app

The actual domain name(blackened) has no typos anywhere and is same wherever it is used.

Contains of routes.rb related to omniauth are as

 cat config/routes.rb 
Rails.application.routes.draw do
  root 'home#index'

  devise_for :users, controllers: { omniauth_callbacks: "users/omniauth_callbacks" }

  # routes related to other controllers
end

The routes are as below

bundle exec rake routes | grep user

new_user_session GET      /users/sign_in(.:format)                               devise/sessions#new
user_session POST     /users/sign_in(.:format)                               devise/sessions#create
destroy_user_session DELETE   /users/sign_out(.:format)                              devise/sessions#destroy
user_omniauth_authorize GET|POST /users/auth/:provider(.:format)                        users/omniauth_callbacks#passthru {:provider=>/facebook/}
user_omniauth_callback GET|POST /users/auth/:action/callback(.:format)                 users/omniauth_callbacks#:action

The only code related to omniauth in the entire app is as

$ cat app/controllers/users/omniauth_callbacks_controller.rb 

class Users::OmniauthCallbacksController <  Devise::OmniauthCallbacksController
  def facebook
    #You need to implement the method below in your model (e.g. app/models/user.rb)
    @user = User.from_omniauth(request.env["omniauth.auth"])
    if @user.persisted?
      sign_in_and_redirect @user, event: :authentication #this will   throw if @user is not activated
      set_flash_message(:notice, :success, kind: "Facebook") if is_navigational_format?
    else
      session["devise.facebook_data"] = request.env["omniauth.auth"]
      redirect_to new_user_registration_url
    end
  end
end
2

There are 2 answers

0
Prasad Surase On BEST ANSWER

Upon further digging the problem, it was observed that the error didnt occur when 'www.example.com' was specified in the url and hence, the callback worked. When 'example.com' was specified in the address bar and facebook login tried, the login crashed with the above error.

So, I fixed the above issue by making some changes to the settings in for the facebook app. I donno if this is the right approach but it worked out. Just making the change as in point 2 didnt solve the problem.

Changes are:

1) Specified the 'App Domains' with 'example.com' and 'www.example.com' 2) Enabled 'Client OAuth Login' to 'Yes' 3) Specified 'Valid OAuth redirect URIs' with 'http://example.com/users/auth/facebook/callback' and 'http://www.example.com/users/auth/facebook/callback'

0
Ben T On

Ok, so I assume that you have a web app NOT running on Facebook that simply uses the Facebook OAuth flow for login functionality, correct? If so, you must enable "Client OAuth Login" in your application settings for the production environment. If you don't, then the web OAuth flow will not work. See this article: https://developers.facebook.com/docs/facebook-login/security