XF 1.5 Facebook: Strict Redirect URI Matching

[rdn]

In 90 days, we're making a security update to Facebook Login that will invalidate calls from URIs not listed in the Valid OAuth redirect URIs field of your Facebook Login settings.

This update comes in response to malicious activity we saw on our platform, and we want to protect your app or website by requiring a new strict mode for redirect URIs. Take action now to ensure your redirect traffic continues to work. Learn More

https://developers.facebook.com/docs/facebook-login/security/#strict_mode

What is the correct "Valid OAuth redirect URIs" for XenForo to work fine?

 

[Mike]

As it stands, we don't support strict OAuth in XF1 as it has variable URLs. It would likely not be resolvable without an update to change the code to account for this.

XF2 supports this out of the box and the necessary URL is listed in the manual: https://xenforo.com/xf2-docs/manual/facebook/

 

[Pierce]

So.... update to xf2 to keep facebook?

 

[Mike]

This is just a warning from Facebook that the change is coming. You don't need to take any action today.

 

[PaulB]

And when the change does come? There's no way we can update to 2.x in time.

 

[Mike]

Any change for this would need to come with the next 1.5 release. It you don't want to allow associating a Facebook account after registration, you can likely enter the URLs that are for your specific site now (which vary based on friendly URLs and/or route filters); association currently has a dynamic parameter in the return URL.

 

[Sal Collaziano]

I received the message as well:

In March, we're making a security update to your app settings that will invalidate calls from URIs not listed in the Valid OAuth redirect URIs field below.This update comes in response to malicious activity we saw on our platform, and we want to protect your app or website by requiring a new strict mode for redirect URIs. Learn More
Here are 1 out of the 1 of your URIs that will be invalidated by this change.

• https://mydomain.whatever/register/facebook

Just staying tuned here as I imagine other people will search and find this topic to add input...

 

[Breixo]

In March

Same here, will check next March...

 

[skicomau]

What is the correct "Valid OAuth redirect URIs" for XenForo to work fine?

enter both

mydomain.com/xenforo/register/facebook
&
mydomain.com/xenforo/admin.php?tools%2Ftest-facebook


Use the Redirect URI Validator to check before saving.

 

[skicomau]

Can confirm the above settings work

 

[Sal Collaziano]

Thank you. What goes in the "Redirect URI Validator" area? Do I need to find that oauth.php file in my XenForo installation?

https://example.com/oauth.php

 

[ibnesayeed]

It would likely not be resolvable without an update to change the code to account for this.

Were any changes in this regard made in the 1.5.17 release? Facebook is sending out those warning messages every now and then. Today I got an email that says 35 more days left.

 

[DeltaHF]

enter both

mydomain.com/xenforo/register/facebook
&
mydomain.com/xenforo/admin.php?tools%2Ftest-facebook


Use the Redirect URI Validator to check before saving.

Although the Redirect URI Validator says both of the URIs I entered are valid, if I run the Facebook Integration test from the Admin CP I'm shown the following warning.

"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."



And yes, I do have my domain name in the "App Domains" field of my FB App Settings.

 

[Sal Collaziano]

Although the Redirect URI Validator says both of the URIs I entered are valid, if I run the Facebook Integration test from the Admin CP I'm shown the following warning.

"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."

View attachment 168380

And yes, I do have my domain name in the "App Domains" field of my FB App Settings.

What are you entering into that field as opposed to https://example.com/oauth.php

 

[DeltaHF]

What are you entering into that field as opposed to https://example.com/oauth.php

I'm entering the same URIs I put into the "Valid OAuth Redirect URIs" field:

mydomain.com/xenforo/register/facebook
mydomain.com/xenforo/admin.php?tools%2Ftest-facebook

 

[Chris D]

Were any changes in this regard made in the 1.5.17 release? Facebook is sending out those warning messages every now and then. Today I got an email that says 35 more days left.

This was the only change we needed to make AFAIK:

Drop the use of 'assoc' from Twitter and Facebook redirects

 

[Sal Collaziano]

Although the Redirect URI Validator says both of the URIs I entered are valid, if I run the Facebook Integration test from the Admin CP I'm shown the following warning.

"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."

View attachment 168380

And yes, I do have my domain name in the "App Domains" field of my FB App Settings.

Okay, yes, I'm getting this same error message as well. Is there a subdomain that needs to be added, possibly?

 

[DeltaHF]

Okay, yes, I'm getting this same error message as well. Is there a subdomain that needs to be added, possibly?

I actually added the full URI path (with https://) to the Valid OAuth redirect fields I used (I just copy/pasted the URLs from above for my post here). In my App's Domain settings, I entered both the plain domain "mydomain.com" and "www.mydomain.com", but the error message persists.

 

[Sal Collaziano]

I actually added the full URI path (with https://) to the Valid OAuth redirect fields I used (I just copy/pasted the URLs from above for my post here). In my App's Domain settings, I entered both the plain domain "mydomain.com" and "www.mydomain.com", but the error message persists.

I tried the same but it just diverts back to the plain old domain name with .com at Facebook...

 

[DeltaHF]

I tried the same but it just diverts back to the plain old domain name with .com at Facebook...

Yep, me too.