2

Initial setup:

My app uses facebook oauth system and has 3 different environments: production, testing and development. I've already listed all 3 valid redirect urls in facebook app's advanced settings (like people do here and here):

Valid OAuth redirect URIs:
  http://myapp-pro.herokuapp.com,
  http://myapp-tst.herokuapp.com,
  http://myapp-dev.herokuapp.com

Additionally, on basic settings the app has:

App domains: myapp-pro.herokuapp.com
Site URL: http://myapp-pro.herokuapp.com

What happens so far:

  1. When using production environment, everything's ok.

  2. When on testing or development (both are not located in App domains or Site URL):

    a. When the user logs in to my site and he's already logged in to facebook, everything goes fine.

    b. When the user logs in to my site, but he isn't already logged in to facebook, facebook complains that:

    Given URL is not allowed by the Application configuration
    One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains.
    

More details about the latter case:

  1. Current URL in browser at that moment is (not exactly, I've decoded next and cancel_url parts for clarity):

    https://www.facebook.com/login.php?
      skip_api_login=1&
      api_key=...&
      signed_next=1&
      next=https://www.facebook.com/v2.0/dialog/oauth?
        redirect_uri=http://myapp-dev.herokuapp.com?
        scope=public_profile&
        email&
        user_birthday&
      response_type=code&
      client_id=...&
      ret=login&
      cancel_url=http://myapp-dev.herokuapp.com?
        error=access_denied&
        error_code=200&
        error_description=Permissions+error&
        error_reason=user_denied#_=_&
      display=page
    
  2. As you may have noticed the redirect_uri and cancel_url domains are totally equal and this value (http://myapp-dev.herokuapp.com) exists in the list of Valid OAuth redirect URIs.

  3. If I manually change here cancel_url to production domain, facebook's error will disappear.

  4. If I manually remove cancel_url parameter completely, the error will vanish also.

  5. If I just ignore the message, enter my credentials and press login button, I will be redirected to https://www.facebook.com/login.php?login_attempt=1 and nothing else happens.


Thoughts:

  1. It seems like facebook simply doesn't check cancel_url to exist in the list of Valid OAuth redirect URIs.

  2. Already mentioned manual hacks are obviously not acceptable for a regular user, so I call for another ideas.

  3. Using different facebook apps corresponding to different environments is also not a good idea ideologically, imho.


Workarounds:

  1. As @CBRoe mentioned in comments: tried to use an own top level domain instead of herokuapp.com (used it as App domains and Site URL value) and it worked. This does not solve the initial question, but is a good workaround.
4

1 回答 1

2

似乎 facebook 应用程序域可以在子域上 - facebook 不检查它是否存在,它只是寻找顶级域,这允许我们设置一个假的子域。并允许我们在虚假子域上托管我们的本地开发环境。

但是,如果您或您的客户没有实时顶级域,这将不起作用。

在 Mac 上编辑主机文件 /etc/hosts,在 Windows 上编辑 /windows/system32/drivers/etc/hosts

192.168.10.10 dev.theclientsdomain.com

然后将 dev.theclientsdomain.com 放到 app 域中。

希望有帮助。

于 2015-08-12T02:21:41.273 回答