6

I have a rails(4.2.0) application that uses Facebook login functionality. The main gems are devise(3.4.0) and omniauth-facebook(2.0.0). I have registered the application on Facebook and have been using its test app for development. The Facebook login functionality works in the development env.

When trying to use the facebook login feature on the production server, I get error as "Given URL is not allowed by the Application configuration: One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains."

The details for settings for test app being used in the dev env are as -

Settings:
  Basic:
    App Domains: 'localhost'
    Website:
      Site URL: 'http://localhost:3000'
  Advanced:
    OAuth Settings:
      Embedded browser OAuth Login: Yes
      Valid OAuth redirect URIs: "http://localhost:3000/users/auth/facebook/callback"

The details for settings for registered app being used in the production env are as -

Settings:
  Basic:
    App Domains: 'www.mysite.co'
    Website:
      Site URL: 'http://www.mysite.co'
  Advanced:
    OAuth Settings:
      Embedded browser OAuth Login: Yes
      Valid OAuth redirect URIs: "http://www.mysite.co/users/auth/facebook/callback"

I have specified the following in my secrets.yml

development:
  secret_key_base: some_secret_key 
  facebook:
    app_id: test_app_id
    app_secret: test_app_secret
production:
  secret_key_base: some_secret_key 
  facebook:
    app_id: registered_app_id
    app_secret: registered_app_secret

And have been using the creds from secrets.yml in the devise initialiser as

# ==> OmniAuth
# Add a new OmniAuth provider. Check the wiki for more information on setting
# up on your models and hooks.
# config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
require 'omniauth-facebook'
config.omniauth :facebook, Rails.application.secrets.facebook['app_id'], Rails.application.secrets.facebook['app_secret'], scope: ['user_photos', 'email', 'public_profile']

basic settings for test app callback url for test app basic settings for app callback url for app

The actual domain name(blackened) has no typos anywhere and is same wherever it is used.

Contains of routes.rb related to omniauth are as

 cat config/routes.rb 
Rails.application.routes.draw do
  root 'home#index'

  devise_for :users, controllers: { omniauth_callbacks: "users/omniauth_callbacks" }

  # routes related to other controllers
end

The routes are as below

bundle exec rake routes | grep user

new_user_session GET      /users/sign_in(.:format)                               devise/sessions#new
user_session POST     /users/sign_in(.:format)                               devise/sessions#create
destroy_user_session DELETE   /users/sign_out(.:format)                              devise/sessions#destroy
user_omniauth_authorize GET|POST /users/auth/:provider(.:format)                        users/omniauth_callbacks#passthru {:provider=>/facebook/}
user_omniauth_callback GET|POST /users/auth/:action/callback(.:format)                 users/omniauth_callbacks#:action

The only code related to omniauth in the entire app is as

$ cat app/controllers/users/omniauth_callbacks_controller.rb 

class Users::OmniauthCallbacksController <  Devise::OmniauthCallbacksController
  def facebook
    #You need to implement the method below in your model (e.g. app/models/user.rb)
    @user = User.from_omniauth(request.env["omniauth.auth"])
    if @user.persisted?
      sign_in_and_redirect @user, event: :authentication #this will   throw if @user is not activated
      set_flash_message(:notice, :success, kind: "Facebook") if is_navigational_format?
    else
      session["devise.facebook_data"] = request.env["omniauth.auth"]
      redirect_to new_user_registration_url
    end
  end
end
Prasad Surase
  • 6,486
  • 6
  • 39
  • 58
  • _“It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains”_ – and what do you have those value set to? – CBroe Jun 24 '15 at 17:48
  • I have specified most of the details for the 'Settings' and for the 'Basic' & 'Advanced' tab for Facebook in the question – Prasad Surase Jun 25 '15 at 05:21
  • What does your `routes.rb` look like? – fylooi Jun 25 '15 at 06:37
  • @fylooi updated the question. – Prasad Surase Jun 25 '15 at 06:50
  • What happens when you load `/users/auth/facebook/callback` in production and development? (log out first in dev). – fylooi Jun 25 '15 at 06:58
  • @fylooi Started GET "/users/auth/facebook/callback" for ::1 at 2015-06-25 12:30:54 +0530 I, [2015-06-25T12:30:54.157202 #6090] INFO -- omniauth: (facebook) Callback phase initiated. E, [2015-06-25T12:30:54.158032 #6090] ERROR -- omniauth: (facebook) Authentication failure! no_authorization_code: OmniAuth::Strategies::Facebook::NoAuthorizationCodeError, must pass either a `code` (via URL or by an `fbsr_XXX` signed request cookie) Processing by Users::OmniauthCallbacksController#failure as HTML Redirected to http://localhost:3000/users/sign_in Completed 302 Found in 3ms – Prasad Surase Jun 25 '15 at 07:03
  • This is production or development? – fylooi Jun 25 '15 at 07:06
  • if the fb login button is clicked then I get, Started GET "/users/auth/facebook/callback?code=some-random-code&state=some-random-alphanumeric" for ::1 at 2015-06-25 12:33:54 +0530 I, [2015-06-25T12:33:54.048875 #6090] INFO -- omniauth: (facebook) Callback phase initiated. Processing by Users::OmniauthCallbacksController#facebook as HTML – Prasad Surase Jun 25 '15 at 07:06
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/81491/discussion-between-prasad-surase-and-fylooi). – Prasad Surase Jun 25 '15 at 07:07
  • Make sure your fb app is live. – Ankit Kalia Jun 28 '15 at 19:18
  • @prasad.surase I have a similar problem with my rails app. I have the same settings (with localhost) as you mentioned, but when I initiate the oauth process from my app, facebook always tells me "_This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings. Make sure Client and Web OAuth Login are on and add all your app domains as Valid OAuth Redirect URIs._" How did you get there? – Karsten S. May 26 '16 at 19:01
  • @KarstenS. the problem would be with the redirect url specified the FB settings. if ur app works with and without 'www', then u need to specify both the urls in the settings. Check my answer below and give it a try. – Prasad Surase May 29 '16 at 09:21

2 Answers2

2

Upon further digging the problem, it was observed that the error didnt occur when 'www.example.com' was specified in the url and hence, the callback worked. When 'example.com' was specified in the address bar and facebook login tried, the login crashed with the above error.

So, I fixed the above issue by making some changes to the settings in for the facebook app. I donno if this is the right approach but it worked out. Just making the change as in point 2 didnt solve the problem.

Changes are:

1) Specified the 'App Domains' with 'example.com' and 'www.example.com' 2) Enabled 'Client OAuth Login' to 'Yes' 3) Specified 'Valid OAuth redirect URIs' with 'http://example.com/users/auth/facebook/callback' and 'http://www.example.com/users/auth/facebook/callback'

Prasad Surase
  • 6,486
  • 6
  • 39
  • 58
0

Ok, so I assume that you have a web app NOT running on Facebook that simply uses the Facebook OAuth flow for login functionality, correct? If so, you must enable "Client OAuth Login" in your application settings for the production environment. If you don't, then the web OAuth flow will not work. See this article: https://developers.facebook.com/docs/facebook-login/security

Ben T
  • 202
  • 1
  • 4