XF 1.5 Facebook: Strict Redirect URI Matching

rdn

Well-known member
#1
In 90 days, we're making a security update to Facebook Login that will invalidate calls from URIs not listed in the Valid OAuth redirect URIs field of your Facebook Login settings.

This update comes in response to malicious activity we saw on our platform, and we want to protect your app or website by requiring a new strict mode for redirect URIs. Take action now to ensure your redirect traffic continues to work. Learn More
https://developers.facebook.com/docs/facebook-login/security/#strict_mode

What is the correct "Valid OAuth redirect URIs" for XenForo to work fine?
 

Mike

XenForo developer
Staff member
#4
This is just a warning from Facebook that the change is coming. You don't need to take any action today.
 

Mike

XenForo developer
Staff member
#6
Any change for this would need to come with the next 1.5 release. It you don't want to allow associating a Facebook account after registration, you can likely enter the URLs that are for your specific site now (which vary based on friendly URLs and/or route filters); association currently has a dynamic parameter in the return URL.
 
#7
I received the message as well:

In March, we're making a security update to your app settings that will invalidate calls from URIs not listed in the Valid OAuth redirect URIs field below.This update comes in response to malicious activity we saw on our platform, and we want to protect your app or website by requiring a new strict mode for redirect URIs. Learn More
Here are 1 out of the 1 of your URIs that will be invalidated by this change.

Just staying tuned here as I imagine other people will search and find this topic to add input...
 

DeltaHF

Well-known member
#13
enter both

mydomain.com/xenforo/register/facebook
&
mydomain.com/xenforo/admin.php?tools%2Ftest-facebook


Use the Redirect URI Validator to check before saving.


Although the Redirect URI Validator says both of the URIs I entered are valid, if I run the Facebook Integration test from the Admin CP I'm shown the following warning.

"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."

Screen Shot 2018-02-07 at 4.13.07 PM.png

And yes, I do have my domain name in the "App Domains" field of my FB App Settings.
 
#14
Although the Redirect URI Validator says both of the URIs I entered are valid, if I run the Facebook Integration test from the Admin CP I'm shown the following warning.

"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."

View attachment 168380

And yes, I do have my domain name in the "App Domains" field of my FB App Settings.
What are you entering into that field as opposed to https://example.com/oauth.php
 
#17
Although the Redirect URI Validator says both of the URIs I entered are valid, if I run the Facebook Integration test from the Admin CP I'm shown the following warning.

"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."

View attachment 168380

And yes, I do have my domain name in the "App Domains" field of my FB App Settings.
Okay, yes, I'm getting this same error message as well. Is there a subdomain that needs to be added, possibly?
 

DeltaHF

Well-known member
#18
Okay, yes, I'm getting this same error message as well. Is there a subdomain that needs to be added, possibly?
I actually added the full URI path (with https://) to the Valid OAuth redirect fields I used (I just copy/pasted the URLs from above for my post here). In my App's Domain settings, I entered both the plain domain "mydomain.com" and "www.mydomain.com", but the error message persists.
 
Top