I am implementing Passport Facebook Authentication by linking the Facebook Authentication API route to a button using href like:
Facebook Login
When I click on the button, it redirects to the Facebook Authentication page. But on the page, an error message is displayed saying something like "Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://"
How can I fix this issue?
Amazingly I just started trying to do the same thing like an hour ago and have been having the same issue. If you go into the FB developer portal and go to Settings under Facebook Login there's an option to Enforce HTTPS.
Further Investigation Showed:
"Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019. Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt."
Reference: Login Security
Since you're using passport, also check your auth.js settings, or where ever you keep these settings. Even if your website has a certificate, the following code will still fail:
'facebookAuth' : {
'clientID' : '.............', // App ID
'clientSecret' : '............................', // App Secret
'callbackURL' : 'localhost:9999/auth/facebook/callback',
'profileURL' : 'https://graph.facebook.com/v2.5/me?fields=first_name,last_name,email',
'profileFields' : ['id', 'email', 'name']
},
The problem lies with the callbackUrl.
'callbackURL' : '/auth/facebook/callback'
'callbackURL' : 'http://localhost:9999/auth/facebook/callback'
The statements above will both fail. The callbackUrl needs to start with https. The first one will try to load http://localhost and append the callbackUrl. The second one obiviously loads the full url with http, and both fail to connect with FB. So try one of the following. If your site has a certificate, provide the full url. If you're testing this on a localhost, create your own certificate and access it by https like:
'callbackURL' : 'https://example.com/auth/facebook/callback'
'callbackURL' : 'https://localhost:9999/auth/facebook/callback'
Since Facebook have been requiring usage of HTTPS for our redirect URIs we can use ngrok at localhost for start up a local secure HTTP tunnel. It is a clean and fast suggested alternative for now.
Get official ngrok package
Unzip to your preferred directory
unzip /opt/ngrok.zip;
Make your first HTTP tunnel: /opt/ngrok http 3000
See more great use cases in ngrok docs.
There are 2 ways you can solve that:
First:
You can go to your google Passport strategy and add proxy: true
passport.use(
new FacebookStrategy(
{
clientID: facebookID,
clientSecret: facebookSecret,
callbackURL: "/auth/facebook/callback",
proxy: true
}
)
);
What happens most of the time is that, when you deploy or app through Heroku, for example, they have a Proxy that allows Heroku to direct the requests to your specific server and Passport assumes that if your request goes through a proxy it might not be safe (So... No https).
The second way you can solve that is by using a specific path for your callbackURL.
For example, instead of using:
callbackURL: "/auth/facebook/callback"
you would use:
callbackURL: https://mydomain/auth/facebook/callback
Keep in mind that if you are going to use this approach you might need to create environment variables to hold the values of your specific redirectURL for development as well as for production.
To fix, for local development, generate ssl certs on your machine. Run the commands below(tested on Mac High Sierra, you will need the openssl lib installed on your os) to create a cert.pem and a key.pem file in your working directory.
openssl req -x509 -newkey rsa:2048 -keyout keytmp.pem -out cert.pem -days 365
openssl rsa -in keytmp.pem -out key.pem
Change your node http server to use https. You will need to import the https module in place of the http module.
const https = require('https')
const path = require('path')
const fs = require('fs')
const options = {
cert: fs.readFileSync(path.resolve(__dirname, '<path_to_your_cert.pem>')),
key: fs.readFileSync(path.resolve(__dirname, '<path_to_your_key.pem>'))
}
const server = https.createServer(options, <your_handler_or_app_eg_express>)
server.listen(<your_prefered_port_number>)
Go to the app on your facebook developer console and set the Valid OAuth Redirect URIs to the https version of your localhost domain. Do same for the app domain and site url.
In my case, I modified my package.json file.
"start": "node scripts/start.js" =>
"start": "set HTTPS=true&&node scripts/start.js"
I hope help you.
This for php sdk reference
Now https is required for the web-application to login via Facebook.
Following procedure is required get valid authentication from Facebook.
Basic Seetings
set App Domains as your root domain (www.example.com)
Privacy Policy URL (https://www.example.com/privacy-demo/)
Terms of Service URL (https://www.example.com/terms-demo/)
Set Category
Site URL (https://www.example.com/facebook-login/) facebook-login this folder contain my all facebook login files
Advanced
Server IP Whitelist (your host ip address 124.25.48.36)
Products below Facebook login settings
Valid OAuth Redirect URIs (https://www.example.com/facebook-login/fb-callback.php)
Quick start
Select website put site url (https://www.example.com/facebook-login/)
Save all changes and live your app (ie: on your app) Now your app status will live.
You can refer this code https://github.com/facebook/php-graph-sdk
use a vpn worked for me cyber ghost is free try it
In your passport setting change your redirect url to some https://someUrl
'https' is important
Related
I recently downloaded an SSL certificate from zeroSSL.com and set it up in my Heroku CLI. Now the website still uses HTTP but it shows that an SSL certificate has been added on heroku.
If Heroku shows that the certificate was added, it should be available. Can you successfully browse to your site using HTTPS?
Note that Heroku doesn't redirect from HTTP to HTTPS for you. They recommend that you do that in application code:
Redirects need to be performed at the application level as the Heroku router does not provide this functionality. You should code the redirect logic into your application.
That page has several examples for how to redirect using common languages and frameworks. I'm not sure what you're using, but I suggest you start there.
I have been following the facebook bot setup guide and have setup a callback url that is running on an EC2 instance.
I am getting an error (see title of this) when trying to validate the callback url and verify token.
https://360.finance:1337/webhook is my webhook and the verify token is the same in my environment variable and in my facebook setting.
I set up SSL using LetsEncrypt and from what I can tell, the SSL is not showing as self signed so it looks to be working correctly (please note I'm new to all of this)
Checked at https://www.ssllabs.com/ssltest/analyze.html?d=360.finance&hideResults=on and all looks correct.
I have also included the facebook page token as an environment variable and included in my index.js file
I have tested netcat / telnet into that port on my ec2 ip and it is succeeding
You must return an http response of the hub.challenge token as a plain text.
We need to update the following on Facebook app settings page before adding The Callback URL or Verify Token.
Privacy Policy URL
Category
App Icon (1024*1024)
Its weird that facebook doesn't point our exact error.
check you callback server, if it is running or not ?
the callback and token comes from your server.
For python users you need to use a dot not underscore. I don't get it when I use the underscore version Facebook API cant access challenge but when I replicate the same GET request with postman I can access the challenge.
# Wrong way
challenge = request.GET['hub_challenge']
# Right way
challenge = request.GET['hub.challenge']
return HttpResponse(challenge)
Do not use ngrok or localtunnel.
I tried both, with no luck.
If you really want your local dev server to authenticate - you can port forward over ssh to your public faced server.
ssh -R 4000:localhost:4000 root#your-server-ip
This way you can setup nginx to reverse proxy 443 to 4000 and handle ssl with certbot
sample config for nginx reverse proxy (before running certbot)
server {
server_name my-own-domain;
root /usr/share/nginx/html;
index index.html index.htm;
listen 80;
location / {
proxy_pass http://localhost:4000/;
}
}
So you "only" need:
Your own domain
Your own server
nginx
certbot
SSH Server
And now you have your own private ngrok replacement
This is Spring MVC application and host on Heroku which has valid ssl certificate.
When I click on the following link from the spring mvc web application
https://www.website.com/auth/facebook
It redirects to this link
https://www.facebook.com/v2.5/dialog/oauth?client_id=1234567890&response_type=code&redirect_uri=http%3A%2F%2Fwww.website.com%2Fauth%2Ffacebook&scope=email&state=62b62bad-f8c8-44a3-bacf-a13ce12dfcce
In this, redirect_uri takes http instead https. How to forced https to redirect_uri?
I have followed the solution mentioned in this question
Spring OAuth redirect_uri not using https
and created following file but it didn't work.
The application.propeties file contains
server.tomcat.remote-ip-header=X-Forwarded-For
server.tomcat.protocol-header=X-Forwarded-Proto
server.use-forward-headers=true
security.oauth2.client.pre-established-redirect-uri=https://www.website.com/login
security.oauth2.client.registered-redirect-uri=https://www.website.com/login
security.oauth2.client.use-current-uri=false
If you are using .net core application then in Configure Method at Startup.cs file add the following line of It should be work.
app.Use((context, next) =>
{
if (context.Request.Headers["x-forwarded-proto"] == "https")
{
context.Request.Scheme = "https";
}
return next();
});
Go to Facebook Developer, Below Products tab go to Facebook login
Make sur Enfore https is set to yes
Then in valid oauth reidrect url add https urls
Change your site Url to https:
and I am really surprised how Facebook redirects you to http!
From 1st may all the redirects should redirected to https. Even in your localhost, you need to create a self-signed certificate to get facebook login working.
I'm trying to integrate facebook login into an app just for learning purposes but it seems that facebook made some changes recently that allows only https.
Here's the error when I try to log in with facebook:
Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://
Some people suggested to go to Facebook Login -> Settings and disable 'Enforce HTTPS for Web OAuth Login'. However, it seems that the recent update on facebook disabled this option.
Anyone found a work around this problem?
Enforce HTTPS
This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019. Most major cloud application hosts provide free and automatic configuration of TLS certificates for your applications. If you self-host your app or your hosting service doesn't offer HTTPS by default, you can obtain a free certificate for your domain(s) from Let's Encrypt.
I provisioned a server using forge and set the domain to blog.example.com. And I generate a LetsEncrypt certificate for that server and set the site to run on http2. It was perfectly fine.
However, I need to make the server accessible via www.blog.example.com now. So I set a CNAME record to route www.blog to blog.example.com. But I got an error This site can’t provide a secure connection when I try to access the site via www.blog.example.com. So I try to generate a new certificate for www.blog.example.com but forge reply First domain does not match root domain on site.
How can I solve the problem?
Thank you.