14

Is there any way to turn off the option Use Strict Mode for Redirect URIs in a Facebook app? It seems that as of March 2018 this property automatically is turned on and is greyed out so cannot be disabled. Facebook seems to disallow authentication unless the exact URL is mentioned in Valid OAuth Redirect URIs. This is a problem because the Sitecore Social Connected module seems to pass in a different state parameter in the query string each time you log in. I have tested using the Redirect URI Validator in the Facebook app and this confirms that the redirect must be exactly as per Valid OAuth Redirect URIs.

Matthew Dresser
  • 11,273
  • 11
  • 76
  • 120
  • No there is no way to turn it off – WizKid Mar 21 '18 at 16:57
  • @WizKid in that case, is there any way to handle the situation of the Sitecore Social Connected module generating a URL with a different query string each time? – Matthew Dresser Mar 21 '18 at 17:28
  • Only to change it to not generate a unique string every time I believe – WizKid Mar 21 '18 at 17:48
  • 1
    The only thing that does not fall under that restriction, is the `state` parameter - so if you need to transport any individual information with a login dialog call, you can put it in there. Since this value also takes care of CSRF protection, if you have to transport a static or easily guessable value, I would recommend that you still combine it with a random one. (Could be for example simply the JSON string containing `[your value, random value]` or something like that.) – CBroe Mar 22 '18 at 07:32
  • @CBroe even when I add to "Valid OAuth Redirect URIs" e.g. `http://example.com/my-redirect.ashx?type=access&scope=email,user_birthday,user_location&type=web_server&state={state-param}` the Redirect URI Validator will give an error for `http://example.com/my-redirect.ashx?type=access&scope=email,user_birthday,user_location&type=web_server&state=123456`. Not sure if I should be specifying some sort of wildcard for the state parameter value? – Matthew Dresser Mar 26 '18 at 11:11
  • The value the `redirect_uri` parameter has in your actual login dialog call needs to be specified in this field. (That should not contain any `state` to begin with.) – CBroe Mar 26 '18 at 11:15
  • @CBroe I don't understand you. After clicking our login with facebook button, the user is taken to a page such as: `https://www.facebook.com/v2.5/dialog/oauth?client_id=XXXXXXXXXX&redirect_uri=http://example.com/my-redirect.ashx?type=access&scope=email,user_birthday,user_location&type=web_server&state=a463df5c-3a76-4413-b118-58e70e72d007` – Matthew Dresser Mar 26 '18 at 11:34
  • 1
    So, the value of your redirect_uri parameter is `http://example.com/my-redirect.ashx?type=access` ... the rest are parameters of the login dialog. – CBroe Mar 26 '18 at 11:37
  • I already find out how it is. Please see this reference link for the solution https://learn.microsoft.com/en-us/aspnet/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on – Ralph Olazo Apr 23 '18 at 18:38
  • @RalphOlazo that article is a generic tutorial about facebook/social authentication. It doesn't mention anything about strict mode for redirect URIs related to Facebook. – Matthew Dresser Apr 26 '18 at 15:47

2 Answers2

12

Is there any way to turn off the option Use Strict Mode for Redirect URIs in a Facebook app?

NO

Due to the security changes made to Facebook, it's no longer possible to turn off this setting.

Regarding specifics of Sitecore and the Social Connected module, I found from @CBroe's comments that the Valid OAuth Redirect URIs now needs to contain a query string parameter as follows:

http://example.com/layouts/Social/Connector/SocialLogin.ashx?type=access

previously I just had

http://example.com/layouts/Social/Connector/SocialLogin.ashx

If you are using HTTPS, you will need to enter the URI with the port number as well i.e.

https://example.com:443/layouts/Social/Connector/SocialLogin.ashx?type=access

This last point is not related to the recent Facebook app changes.

Matthew Dresser
  • 11,273
  • 11
  • 76
  • 120
1

Same experience, I could not turn it off. What eventually worked for me was

I have a link on my site that starts the login process:

https://www.example.com/users/auth/facebook

Following this causes my rails app to redirect to

https://www.facebook.com/v2.6/dialog/oauth?client_id=1234&redirect_uri=https%3A%2F%2Fwww.example.com%2Fusers%2Fauth%2Ffacebook%2Fcallback&response_type=code&scope=email&state=123456

Facebook replies with

https://www.example.com/users/auth/facebook/callback?code=abcverylongcodexyz

Therefor the URI that needs to be whitelisted is simply "https://www.example.com/users/auth/facebook/callback", without the code part.

FWIW, when I moved my site from http to https I needed to update my config/initializers/devise.rb to include

config.omniauth :facebook, '1234', '34567', :scope => 'email', :callback_url => 'https://www.example.com/users/auth/facebook/callback'

as it was still using the http: protocol in the callback url, and you can't whitelist any URI in that protocol under the current guidelines.

Jeff
  • 6,646
  • 5
  • 27
  • 33