XF 1.5 Facebook: Strict Redirect URI Matching

rdn

Well-known member
In 90 days, we're making a security update to Facebook Login that will invalidate calls from URIs not listed in the Valid OAuth redirect URIs field of your Facebook Login settings.

This update comes in response to malicious activity we saw on our platform, and we want to protect your app or website by requiring a new strict mode for redirect URIs. Take action now to ensure your redirect traffic continues to work. Learn More
https://developers.facebook.com/docs/facebook-login/security/#strict_mode

What is the correct "Valid OAuth redirect URIs" for XenForo to work fine?
 
At any rate, it seems Facebook is actually still connecting properly for my forum. So maybe the error message has something to do with communication between the administration control panel and Facebook - but not the rest of the forum. While that seems unlikely - somehow it's working...
 
As the warnings from Facebook state, they will now be doing strict redirect URL validation, so that they will only return a user back to a specific whitelisted URL as a result of using their oAuth stuff. This has been optional for a while but they're now making it mandatory. The "assoc" parameter was used to indicate that we were starting an association and we've made it so it no longer uses that query string parameter to make the strict validation work as expected.

The changes you need to make are the ones that Facebook are warning about, and what I touched on above. You need to ensure you add your approved redirect URLs - the page that you are redirected to on your site after authing with Facebook. If you switch on the strict validation in your Facebook developer app, add your redirect URL and the Facebook registration/login still works, no further action is required and you're prepared for when Facebook make it mandatory, in March.
 
As the warnings from Facebook state, they will now be doing strict redirect URL validation, so that they will only return a user back to a specific whitelisted URL as a result of using their oAuth stuff. This has been optional for a while but they're now making it mandatory. The "assoc" parameter was used to indicate that we were starting an association and we've made it so it no longer uses that query string parameter to make the strict validation work as expected.

The changes you need to make are the ones that Facebook are warning about, and what I touched on above. You need to ensure you add your approved redirect URLs - the page that you are redirected to on your site after authing with Facebook. If you switch on the strict validation in your Facebook developer app, add your redirect URL and the Facebook registration/login still works, no further action is required and you're prepared for when Facebook make it mandatory, in March.
Everything seems to "check out" and be working at Facebook when I set things up. However, when I test the connection in the XenForo admin cp, I get the following message:

"Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings."

Which URL is it unable to load?
 
You need to ensure you add your approved redirect URLs - the page that you are redirected to on your site after authing with Facebook.
Thanks @Chris D, this is certainly helpful, but I have one more question. Does XF expects BF to redirect users back to a specific callback URL after authentication or it is on admins to decide where would they like their users to be landed after authentication is done? Ideally, we would like the user to eventually land on the page which actually triggered the login action, but that does not seem to be the case due to strict redirect policy (as per my understanding). Also, what does it mean to have more than one redirect locations and how will it function?

Let me put it this way, suppose we run an XF installation at https://example.com/forums/ with pretty URLs enabled. What would be some entries in FB's whitelisted redirect URLs field?
 
No, that's not how it works. This redirection is the URL the user must be redirected to, with the necessary response from Facebook, so we can then process that and do the association. You can't pick what the redirect URL is, we instruct Facebook where to redirect to. It's just that with the strict mode, that redirect will only work if it's one of the approved redirect URLs. It's /index.php?register/facebook or /register/facebook for XF1 (prefixed with your board URL). For XF2 it's just /connected_account.php (prefixed with your board URL).
 
You just have to enter the correct valid OAuth redirect URIs. There should be two if you want to include the test tool in there.

These settings should work and have worked for others:

enter both

mydomain.com/xenforo/register/facebook
&
mydomain.com/xenforo/admin.php?tools%2Ftest-facebook


Use the Redirect URI Validator to check before saving.


hZN1IN+
 
Yes that looks correct.

I noticed that your previous message with the error mentioned something about "app domains". That's set up on a different page so I'd look for that first and make sure the list of domains (if any) are correct.
 
Yes that looks correct.

I noticed that your previous message with the error mentioned something about "app domains". That's set up on a different page so I'd look for that first and make sure the list of domains (if any) are correct.
Thank you. In "App Domains", I just have my site homepage, https://whatever.com (my XenForo homepage) - should it be set to a different URL within the XenForo system?
 
It just wants a domain as far as I know so it would be whatever.com rather than http://whatever.com or a full page URL.

That’s what it’s complaining about anyway. So if that all looks correct, I’ve really got no idea.

Is the board URL on your forum correct?
 
It just wants a domain as far as I know so it would be whatever.com rather than http://whatever.com or a full page URL.

That’s what it’s complaining about anyway. So if that all looks correct, I’ve really got no idea.

Is the board URL on your forum correct?
Yes, my url is set without the https:// at Facebook and the board url in the administration area is correct. I imagine this will become a busy topic eventually...
 
Thank you. In "App Domains", I just have my site homepage, https://whatever.com (my XenForo homepage) - should it be set to a different URL within the XenForo system?
I'm using the same settings, with the same error message.

For my App Domains setting, I have "mydomain.com" and "www.mydomain.com" (although I enforce the use of the www subdomain for all requests to my site).

EDIT: And, for the record, signing in with Facebook still works on my site. It's just the "Test Facebook Integration" link that isn't working. I suspect it doesn't like something about the "auth redirect URL" that we're providing for the test page, though I don't know what other URI we could use. Maybe there's some kind of internal redirect that happens before the test page sends us off to Facebook?
 
Last edited:
I get the same error with the test function (login works fine) but the error is thrown even on the external account association option in the user profile..
It's definitely going to need to be addressed. The only reason there aren't 175,000 people talking about it right now is because hardly anyone has made the change yet. Lucky for them, we'll have all got this stuff figured out by the time they do...
 
Just chiming in that I'm having this problem as well on 1.5.17. App Domains are correct, Redirect URIs are correct. Hard to figure out what the problem is. For now I've just turned strict mode off, hopefully I can figure out what the problem is before strict mode is forced in March.
 
"Can't Load URL: The domain of this URL isn't included in the app's domains.

Facebook App Dashboard -> Settings -> Advanced.

ON this page..

1. Ensure 'Native or desktop app?' is off (No)

2. Add your server IP into the Server IP Whitelist. (Just good hygiene)

This is the what the error above is actually referring to
3. Add your domain to the Domain Manager section in the following format;.
https://www.mydomain.com/xenforo/*

Set as Exact Match
Check both HTML & JavaScript and CSS

Notes:
Make sure you have http or https correct as per your server
Make sure you include your actual xenforo path if it is different from the default /xenforo/
Make sure you finish with wildcard /*
 
Top Bottom