Spring social: authentication with Facebook on machines with a load balancer - spring-social

My site uses spring social (1.1.6.RELEASE) and spring social facebook (2.0.3.REALEASE) to let users to sign in with their Facebook accounts.
Recently, Facebook requires all websites to use HTTPS based URIs for "Valid OAuth Redirect URIs". Here is what I have for "Valid OAuth Redirect URIs" at Facebook:
https://www.example.com/signin/facebook https://localhost/signin/facebook
I followed the suggestion at https://jira.spring.io/browse/SOCIAL-447 and have custom classes for FacebookConnectionFactory and OAuth2Template so that redirect URIs can start with https.
Everything works correctly on my laptop. However, I am unable to get it work for the site on the internet.
Here is the environment of my system: A load balancer device distributes requests to two Dell boxes. The loadbalancer takes HTTPS requests and sends HTTP requests to boxes.
Here is what I experience on the internet site: when I click the Facebook button to start authentication with Facebook, I am directed to Facebook login. After entering correct username and password, I am redirected my site, but with an exception: Here is the exception message:
Response body: {"error":{"message":"Can't Load URL: The domain of this
URL isn't included in the app's domains. To be able to load this URL,
add all domains and subdomains of your app to the App Domains field in
your app
settings.","type":"OAuthException","code":191,"fbtrace_id":"GeA8sXoebS3"}}
I have example.com in the App Domains field at Facebook, but it still fails. Does the system setup (including the load balancer) play a role here? I believe so, but cannot figure out how to fix it? Spent quite an amount of time and no success.
Any suggestion and info would be really appreciated.
Update
My site has been using SSL for a long time. It's authentication with Facebook was working before, but now it is not because of "https" requirement Facebook recently imposed.

Related

SSO Login: Cookie scheme does not match in FireFox

I have a Webapp (HTML, JS, PHP) on an Amazon cloud server which is integrated in our companies network. Lets say the servers name is
dev-myapp.cloud.myentity.mycompany.com
This app is using the companies global SSO login by getting an oauth token from the SSO login page and then sending client, secret and callback (as usual). If Login is successful, the SSO login redirects to my callback (which in that case is my apps url above)
The SSO login creates many cookies in the browser. Most of them are flagged as secure but also some are not. For all of this cookies I now get an error
Cookie "xxx" will be soon treated as cross-site cookie against "path_to_any_of_my_sources" because the scheme does not match
I get this error for every script which is loaded (HTML, js, PHP, css) with FireFox.
The domain of the created cookies is
mycompany.com
so there should be no cross site at all.
What can I do to remove this hundreds of warnings, which makes debugging really annoying
If you need more information please let me know. Please understand I cannot provide you with real data from my company.
I was able to fix this same problem by clearing my cookies in the browser.

Laravel Socialite facebook login: Can't Load URL: The domain of this URL isn't included in the app's domains

I know this question has asked before many times. I've tried every one but no luck,
I my situation,
Website url: https://mywebsite.com/qa
redirect url: https://mywebsite.com/qa/login/facebook/callback
I have added my domain to app domain, redirect url to valid oAuth redirect url. But same error.
I even created a new app.
However facebook authentication is working fine with https://mywebsite.com/ domain. It's is a different app and a website.
The issue happens only with the site in the sub folder.
Any help ?
Thank you.
EDIT
Screenshot
Can you check if "Valid OAuth Redirect URIs" in Facebook app "Facebook login" setting is properly defined like shown in screenshot attached ?
Also have you checked if your app has strict mode enabled ?
This error occurs if your OAuth setting is not correct.
I would suggest to check all settings of your app thoroughly.

Facebook login with Socialite throws error

I'm trying to integrate facebook login into an app just for learning purposes but it seems that facebook made some changes recently that allows only https.
Here's the error when I try to log in with facebook:
Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://
Some people suggested to go to Facebook Login -> Settings and disable 'Enforce HTTPS for Web OAuth Login'. However, it seems that the recent update on facebook disabled this option.
Anyone found a work around this problem?
Enforce HTTPS
This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019. Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt.

SSO with ADFS using WS Federation working fine on localhost but not on server

We want to implement SSO in our multiple application
eg : abc.domain.com/app1 and abc.domain.com/app2.
We have configured ADFS on our server. WE have used WS federation authentication. Our both app are aware of claim based authentication.
Scenario we want to achieve,
1. Make login on app abc.domain.com/app1 using ADFS WS federation authentication.
2. We have successfully authenticated in this domain.
3. Now make request on abc.domain.com/app2. It should be login automatically in this app.
Actioned:
Both app URLs are added on relying party trust in ADFS.
We have added Endpoint URL of 1st app abc.domain.com/app1
Both app refer same ADFS metadata URL.
We have achieved this in our local environment. In local system these two different app are running on different port
1. localhost:44313
2. localhost:44330
When we make successfully login on localhost:44313 and request on localhost:44330 then user also authenticated for this app as well and displayed as logged in.
This scenario is not working fine for the live environment. Our live URL structure is same as mentioned above (abc.domain.com/app1, abc.domain.com/app2) but it's not working there.
Any help would be appreciated!
What errors do you see in the event log?
If you have two different apps, you need two different RP on ADFS.
Also you need to run both on https.
Do you have https on your live environment?

How to do facebook auth through a remote proxy

Say I have an app with a Sinatra REST API at http://example.com:4567. With my app I have a designer working on the front-end. Rather than set him up with a local back-end I edit his hosts file as follows:
127.0.0.1 local.example.com
and his httpd-vhosts.conf as follows:
ProxyPass /api http://example.com:4567
ProxyPassReverse /api http://example.com:4567
so that API calls are proxied to the remote host. I then create a vhost for local.example.com in apache that maps to his local directory where our front-end repo is. This allows me to give him a remote back-end with a local front-end.
The reason for the subdomain is because we do Facebook authentication which has its restrictive domain policies for auth. We can successfully facebook auth a user and get redirected back to the app, but when attempting to get an access token get a 400 response with the message:
{"error"=>{"message"=>"Missing client_id parameter.", "type"=>"OAuthException", "code"=>101}}
I believe the client_id is correctly set as it's set in the rack:oauth:client object correctly, and the flow is identical and only fails when the domain is different. The only thought I have is that facebook might not like that the user auth's from local.example.com while the access token is requested from example.com, but my understanding is facebook will authenticate on all subdomains. I've also whitelisted local.example.com on my App.
Any insight or advice into how to accomplish this? Thanks in advance.
Turns out it wasn't a domain issue, but rather fb_graph, the open source fb api from nov, uses basic auth by default, you need to set auth to something other than ":basic" when you get the access token in order to solve this error.

Resources