XF 1.5 Facebook: Strict Redirect URI Matching

rdn

Well-known member
In 90 days, we're making a security update to Facebook Login that will invalidate calls from URIs not listed in the Valid OAuth redirect URIs field of your Facebook Login settings.

This update comes in response to malicious activity we saw on our platform, and we want to protect your app or website by requiring a new strict mode for redirect URIs. Take action now to ensure your redirect traffic continues to work. Learn More
https://developers.facebook.com/docs/facebook-login/security/#strict_mode

What is the correct "Valid OAuth redirect URIs" for XenForo to work fine?
 

Mike

XenForo developer
Staff member
As it stands, we don't support strict OAuth in XF1 as it has variable URLs. It would likely not be resolvable without an update to change the code to account for this.

XF2 supports this out of the box and the necessary URL is listed in the manual: https://xenforo.com/xf2-docs/manual/facebook/
 
Reactions: rdn

Mike

XenForo developer
Staff member
This is just a warning from Facebook that the change is coming. You don't need to take any action today.
 

Mike

XenForo developer
Staff member
Any change for this would need to come with the next 1.5 release. It you don't want to allow associating a Facebook account after registration, you can likely enter the URLs that are for your specific site now (which vary based on friendly URLs and/or route filters); association currently has a dynamic parameter in the return URL.
 

Sal Collaziano

Active member
I received the message as well:

In March, we're making a security update to your app settings that will invalidate calls from URIs not listed in the Valid OAuth redirect URIs field below.This update comes in response to malicious activity we saw on our platform, and we want to protect your app or website by requiring a new strict mode for redirect URIs. Learn More
Here are 1 out of the 1 of your URIs that will be invalidated by this change.

Just staying tuned here as I imagine other people will search and find this topic to add input...
 

DeltaHF

Well-known member
enter both

mydomain.com/xenforo/register/facebook
&
mydomain.com/xenforo/admin.php?tools%2Ftest-facebook


Use the Redirect URI Validator to check before saving.


Although the Redirect URI Validator says both of the URIs I entered are valid, if I run the Facebook Integration test from the Admin CP I'm shown the following warning.

"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."

Screen Shot 2018-02-07 at 4.13.07 PM.png

And yes, I do have my domain name in the "App Domains" field of my FB App Settings.
 

Sal Collaziano

Active member
Although the Redirect URI Validator says both of the URIs I entered are valid, if I run the Facebook Integration test from the Admin CP I'm shown the following warning.

"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."

View attachment 168380

And yes, I do have my domain name in the "App Domains" field of my FB App Settings.
What are you entering into that field as opposed to https://example.com/oauth.php
 

Chris D

XenForo developer
Staff member
Were any changes in this regard made in the 1.5.17 release? Facebook is sending out those warning messages every now and then. Today I got an email that says 35 more days left.
This was the only change we needed to make AFAIK:

Drop the use of 'assoc' from Twitter and Facebook redirects
 

Sal Collaziano

Active member
Although the Redirect URI Validator says both of the URIs I entered are valid, if I run the Facebook Integration test from the Admin CP I'm shown the following warning.

"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."

View attachment 168380

And yes, I do have my domain name in the "App Domains" field of my FB App Settings.
Okay, yes, I'm getting this same error message as well. Is there a subdomain that needs to be added, possibly?
 

DeltaHF

Well-known member
Okay, yes, I'm getting this same error message as well. Is there a subdomain that needs to be added, possibly?
I actually added the full URI path (with https://) to the Valid OAuth redirect fields I used (I just copy/pasted the URLs from above for my post here). In my App's Domain settings, I entered both the plain domain "mydomain.com" and "www.mydomain.com", but the error message persists.
 

Sal Collaziano

Active member
I actually added the full URI path (with https://) to the Valid OAuth redirect fields I used (I just copy/pasted the URLs from above for my post here). In my App's Domain settings, I entered both the plain domain "mydomain.com" and "www.mydomain.com", but the error message persists.
I tried the same but it just diverts back to the plain old domain name with .com at Facebook...
 
Top