XF 1.5 Facebook: Strict Redirect URI Matching

R

rdn

Well-known member
In 90 days, we're making a security update to Facebook Login that will invalidate calls from URIs not listed in the Valid OAuth redirect URIs field of your Facebook Login settings.

This update comes in response to malicious activity we saw on our platform, and we want to protect your app or website by requiring a new strict mode for redirect URIs. Take action now to ensure your redirect traffic continues to work. Learn More
Click to expand...
https://developers.facebook.com/docs/facebook-login/security/#strict_mode

What is the correct "Valid OAuth redirect URIs" for XenForo to work fine?
 
Sort by date Sort by votes
Tecca said:
Just chiming in that I'm having this problem as well on 1.5.17. App Domains are correct, Redirect URIs are correct. Hard to figure out what the problem is. For now I've just turned strict mode off, hopefully I can figure out what the problem is before strict mode is forced in March.
Click to expand...

See my post above for what worked for me - Re App Domains and strict mode.
 
Last edited:
Upvote 0 Downvote
Actually

@Sal Collaziano @DeltaHF

You guys are right.

Mine has stopped working too this last week - with the same error. (I had Strict Oauth set it up working in Feb but the March crackdown on strict Oauth redirect broke it again - )

So I did some investigating.

The error from Facebook is misleading. It is not a incorrect domains in the App Domain field that is triggering the error - it is the Strict Oauth Redirect does not handle query strings.

I added an actual value of https://www.ski.com.au/xf/register/facebook?assoc=277 into the Valid OAuth redirect URI's and it worked (for just that single account).

So I did some more digging around and...

https://developers.facebook.com/docs/facebook-login/security#strict_mode

For apps with dynamic redirect URIs, use the state parameter to pass back the dynamic information to a limited number of redirect URIs. Then add each of the limited redirect URIs to the Valid OAuth redirect URIs list.
Click to expand...

The key here is a State Parameter must be passed - this changes the redirect URI from;

..xenforo/register/facebook?assoc=277

To;

..xenforo/register/facebook?state="{assoc=277}"

or similar.


And.....


It turns out that @Mike @Brogan

FIXED this in 1.5.17 (I don't know about Xenforo 2.x but suspect it got updated with the fix at same time)

I upgraded from 1.5.16 to 1.5.17 and everything works again.
 
Upvote 0 Downvote
skicomau said:
It turns out that @Mike @Brogan

FIXED this in 1.5.17 (I don't know about Xenforo 2.x but suspect it got updated with the fix at same time)

I upgraded from 1.5.16 to 1.5.17 and everything works again.
Click to expand...
Nice detective work, @skicomau, but I am running 1.5.17, and have been since it released. :confused:

It's worth noting again that my Facebook authentication for users does work fine (just like your testing showed); it's just the Admin CP "Test Facebook Integration" showing the error.
 
Upvote 0 Downvote
Anyone willing to make a code edit to see if the issue can be resolved?

In the file library/XenForo/ControllerAdmin/Tools.php find:
PHP: 
$fbRedirectUri = XenForo_Link::buildAdminLink('canonical:tools/test-facebook', false, array('x' => '?/&=', 'y' => 2));
And replace with:
PHP: 
$fbRedirectUri = XenForo_Link::buildAdminLink('canonical:tools/test-facebook');
I'm currently unsure what the &x=?/&=&y=2 bit is for that we are adding to the end of the redirect URI there. I'm certain there was a reason for it, 7 years ago when we added it, but I'm not sure if it's relevant. I suspect it may resolve the Facebook testing issue.
 
Upvote 0 Downvote
Chris D said:
Anyone willing to make a code edit to see if the issue can be resolved?

In the file library/XenForo/ControllerAdmin/Tools.php find:
PHP: 
$fbRedirectUri = XenForo_Link::buildAdminLink('canonical:tools/test-facebook', false, array('x' => '?/&=', 'y' => 2));
And replace with:
PHP: 
$fbRedirectUri = XenForo_Link::buildAdminLink('canonical:tools/test-facebook');
I'm currently unsure what the &x=?/&=&y=2 bit is for that we are adding to the end of the redirect URI there. I'm certain there was a reason for it, 7 years ago when we added it, but I'm not sure if it's relevant. I suspect it may resolve the Facebook testing issue.
Click to expand...
Thank you, Chris! That did it! :)

Sal C.
 
Upvote 0 Downvote
Chris D said:
Anyone willing to make a code edit to see if the issue can be resolved?

In the file library/XenForo/ControllerAdmin/Tools.php find:
PHP: 
$fbRedirectUri = XenForo_Link::buildAdminLink('canonical:tools/test-facebook', false, array('x' => '?/&=', 'y' => 2));
And replace with:
PHP: 
$fbRedirectUri = XenForo_Link::buildAdminLink('canonical:tools/test-facebook');
I'm currently unsure what the &x=?/&=&y=2 bit is for that we are adding to the end of the redirect URI there. I'm certain there was a reason for it, 7 years ago when we added it, but I'm not sure if it's relevant. I suspect it may resolve the Facebook testing issue.
Click to expand...
Missed the replies until now, but this fixed it. Thanks!
 
Upvote 0 Downvote
Mike said:
As it stands, we don't support strict OAuth in XF1 as it has variable URLs. It would likely not be resolvable without an update to change the code to account for this.
Click to expand...
Just to be clear this means that in XF1 facebook connect is and will remain broken so we should disable it?
 
Upvote 0 Downvote
It would be good to get confirmation that it is effectively broken now so I can disable it. I'm unable to get it working at all anymore.

BTW you cannot turn off Strict mode for newly created apps now either. It is forced on for legacy and new Facebook apps.
 
Upvote 0 Downvote
5C4CB82C-6CCD-45C6-975A-272B6BB90CEB.webp
I’m scared to touch anything with those warnings. I’ll have to do some testing to see which ones are relevant and actually require changes on our end.

We require HTTPS anyway (HSTS preloading), so it should be safe to turn that on. I thought strict mode was on, but I guess not. Oh well; time for more testing...

Looks like there’s also some GDPR stuff in there that I’ll need to implement.
 
Upvote 0 Downvote
Chris D said:
Yes that looks correct.

I noticed that your previous message with the error mentioned something about "app domains". That's set up on a different page so I'd look for that first and make sure the list of domains (if any) are correct.
Click to expand...

It's giving that error message during tests when strict mode is enabled because there are extra parameters in the querystring. For example, when I click the Test button, here's the redirect_uri I get:
Code: 
https://www.namepros.com/admin.php?tools/test-facebook&x=%3F%2F%26%3D&y=2

That's the same domain as login, which works; only the test is broken. I have this configured as a valid OAuth redirect URI:
Code: 
https://www.namepros.com/admin.php?tools%2Ftest-facebook

Adding the following URI fixed the issue:
Code: 
https://www.namepros.com/admin.php?tools/test-facebook&x=%3F%2F%26%3D&y=2

@Chris D, can you confirm that this is a bug?

Note that the error message from Facebook is wrong; it's giving that domain error message for any strict URI mismatch, not just a mismatched domain.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Nirjonadda
  • Question Question
Action is required for Facebook login app
Replies
3
Views
1K
Ludachris
Ludachris
interforo
  • Question Question
Facebook app - acquired required on policy
Replies
1
Views
696
TPerry
TPerry
NandorHUN
  • Question Question
XF 2.2 Connected accounts - Google: Error (400): redirect_uri_mismatch The redirect URI in the request, ... - WHAT TO DO?
Replies
1
Views
1K
Paul B
Paul B
MediaSVI
  • Question Question
XF 2.1 Facebook API login not working
Replies
2
Views
1K
Startingup
S
bzcomputers
  • Solved
XF 2.2 Facebook connected account login crashing
Replies
9
Views
6K
WxP
WxP
Top Bottom