How to do facebook auth through a remote proxy - ruby

Say I have an app with a Sinatra REST API at http://example.com:4567. With my app I have a designer working on the front-end. Rather than set him up with a local back-end I edit his hosts file as follows:
127.0.0.1 local.example.com
and his httpd-vhosts.conf as follows:
ProxyPass /api http://example.com:4567
ProxyPassReverse /api http://example.com:4567
so that API calls are proxied to the remote host. I then create a vhost for local.example.com in apache that maps to his local directory where our front-end repo is. This allows me to give him a remote back-end with a local front-end.
The reason for the subdomain is because we do Facebook authentication which has its restrictive domain policies for auth. We can successfully facebook auth a user and get redirected back to the app, but when attempting to get an access token get a 400 response with the message:
{"error"=>{"message"=>"Missing client_id parameter.", "type"=>"OAuthException", "code"=>101}}
I believe the client_id is correctly set as it's set in the rack:oauth:client object correctly, and the flow is identical and only fails when the domain is different. The only thought I have is that facebook might not like that the user auth's from local.example.com while the access token is requested from example.com, but my understanding is facebook will authenticate on all subdomains. I've also whitelisted local.example.com on my App.
Any insight or advice into how to accomplish this? Thanks in advance.

Turns out it wasn't a domain issue, but rather fb_graph, the open source fb api from nov, uses basic auth by default, you need to set auth to something other than ":basic" when you get the access token in order to solve this error.

Related

Spring social: authentication with Facebook on machines with a load balancer

My site uses spring social (1.1.6.RELEASE) and spring social facebook (2.0.3.REALEASE) to let users to sign in with their Facebook accounts.
Recently, Facebook requires all websites to use HTTPS based URIs for "Valid OAuth Redirect URIs". Here is what I have for "Valid OAuth Redirect URIs" at Facebook:
https://www.example.com/signin/facebook https://localhost/signin/facebook
I followed the suggestion at https://jira.spring.io/browse/SOCIAL-447 and have custom classes for FacebookConnectionFactory and OAuth2Template so that redirect URIs can start with https.
Everything works correctly on my laptop. However, I am unable to get it work for the site on the internet.
Here is the environment of my system: A load balancer device distributes requests to two Dell boxes. The loadbalancer takes HTTPS requests and sends HTTP requests to boxes.
Here is what I experience on the internet site: when I click the Facebook button to start authentication with Facebook, I am directed to Facebook login. After entering correct username and password, I am redirected my site, but with an exception: Here is the exception message:
Response body: {"error":{"message":"Can't Load URL: The domain of this
URL isn't included in the app's domains. To be able to load this URL,
add all domains and subdomains of your app to the App Domains field in
your app
settings.","type":"OAuthException","code":191,"fbtrace_id":"GeA8sXoebS3"}}
I have example.com in the App Domains field at Facebook, but it still fails. Does the system setup (including the load balancer) play a role here? I believe so, but cannot figure out how to fix it? Spent quite an amount of time and no success.
Any suggestion and info would be really appreciated.
Update
My site has been using SSL for a long time. It's authentication with Facebook was working before, but now it is not because of "https" requirement Facebook recently imposed.

How to setup a root domain redirect for https with google domains

Using Google Domains, I've set up a synthetic record to redirect foo.com -> www.foo.com. Just like in this example:
https://support.google.com/domains/answer/6346300?hl=en
However, it doesn't seem to work with https://foo.com.
How do I configure it so that the subdomain forward works with https as well?
To give it more context, I'm mapping my custom domain to a heroku app, so I've set up a CNAME record for www.foo.com, and would like https://foo.com to be mapped to https://www.foo.com
Before providing any input please confirm if you are using any pointing service?
If http://foo.com is working whereas https://foo.com is not then you may need any service like pointDNS or cloudflare.

Amazon Route53 redirection

I have a domain example.com in AWS and have got one load balancer and one ec2 instance. Trying to setup https with certificate from AWS.
Route53 setup and A record setup is done as follows for domain to load balancer.
domain name - *.example.com
Name:-
example.com.
Type:-
- Ip4
Alias Target :- dns name of load balancer.
My web is a spring based web and it redirect user to landing page if user access www.example.com --->>> www.example.com/landing.
After all the setup, if i access like the below url, it is working fine.
https://www.example.com/landing
But if i access without www,
https://example.com/landing --> It leads to browser security page.(Your connection is not private
Attackers might be trying to steal your information from ...)
Our certificate is based on the domain name *.example.com.
If I simply access, https://example.com/ ---> It gets redirected to http://example.com/landing -- > Spring app redirects like this with http.
http://www.test.com/landing leads to certificate trust error. (https://example.com/landing).
Getting site can not be reached error if i simply access, http://www.example.com/
I am looking for URL redirection to https if user access using http or without www or without any scheme. Not sure if i have to configure anything in Route53.
Also, Do i need to configure in my app to redirect to https?
Your current certificate should not work for the root, i.e. https://test.com
Either purchase an alternate name for https://test.com or use only www.test.com as your website. You do not need to change anything in Route53 for now. You probably do need to add redirection in your webserver/app to use HTTPS-only, unless you want to leave it to the users.

CORS and LTPA token from local domain

I'm struggling with CORS and a SSO configuration between two WAS servers using LTPA key share.
CORS calls from server1 (domain1) to server2 (domain2) work fine if I don't have authentication on server2 (meaning the cross domain Ajax call works), but it doesn't if I have.
The context is: The web client logs into domain1, one part of the UI needs to display some data coming from server 2 (domain2). Server 1 and server 2 share the same LTPA key with the same realm. That works fine, I can make manual calls (with curl for example) to domain2 using the LtpaToken2 from the webclient obtain from domain1.
The problem is: When I make the CORS call from the web client, I use withCredentials to true, but withCredentials includes cookies from the remote domain, and of course I have no cookie yet since the browser does not know the domain2 yet. What I need to do is include the LtpaToken2 cookie from the local domain (domain1) when doing the cross-domain ajax call to domain2. That way I will be authenticated. But because of the cookie cross domain policy I'm stuck.
Am I approaching the problem in the wrong way here? How would you handle that: doing a CORS call to a yet unknown domain using the LtapToken from the local domain?
Thank you very much for your help!

Setting up google project for authentication api

I am trying to set up google authentication for my local project. I run projects in python virtual environments and have different local domainnames set up for those. Names like projectname.dev. When i enter http://projectname.dev in browser the site opens up.
When i went to https://console.developers.google.com/project/< myprojectid >/apiui/credential?authuser=0 i could set values like javascript origin and authorized redirect uri there. I set javascript origins to http://projectname.dev and tried to put same domain for authorized redirect url too, but it did not work and i had to leave it to localhost.
When i tried to authenticate via django-allauth, i got such response from google:
**Error: invalid_request**
Invalid parameter value for redirect_uri: Non-public domains not allowed: http://projectname.dev/account/google/login/callback/
Now my questions are:
Can i develop this part of project locally with domainname like projectname.dev or do i need to set it up for localhost? Will local redirect from localhost -> projectname.dev work?
If i can do it with projectname.dev, then perhaps there is an error in the way i have this project set up in google developers console?
In any case, if you cannot set the redirect URI in the Cloud Console, Google will throw you our when you try to authorize the app.
My recommendation would be to choose either of those solutions :
Use "localhost" as you said, with some kind of redirection/NAT/proxy to projectname.dev
Replace projectname.dev with a domain with an actual tld such as projectname.thisdomaindoesnotexist.com . Then configure this domain name to map to your servers.
Or wait for ".dev" to be recognized as an actual TLD, and you'll be good :)

Resources