Geek Answers Handbook

Facebook-based authentication: no signed_request parameter after redirect

On my canvas page, I try to authenticate the user as described in http://developers.facebook.com/docs/guides/canvas/ , using essentially this code (example code from developers.facebook.com):

<?php $app_id = "YOUR_APP_ID"; $canvas_page = "YOUR_CANVAS_PAGE_URL"; $auth_url = "http://www.facebook.com/dialog/oauth?client_id=" . $app_id . "&redirect_uri=" . urlencode($canvas_page); $signed_request = $_REQUEST["signed_request"]; list($encoded_sig, $payload) = explode('.', $signed_request, 2); $data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true); if (empty($data["user_id"])) { echo("<script> top.location.href='" . $auth_url . "'</script>"); } else { echo ("Welcome User: " . $data["user_id"]); } ?>

The problem is that the first time a user allows my canvas application, Facebook does not pass the signed_request parameter when redirecting back (as described in the code example), but the code parameter. When accessing the application for the second time (having already confirmed the rights), it passes the signed_request parameter as expected.

Why is it passing the code parameter for the first time? The documentation does not explain when Facebook passes the code / signed_request .

+4
source share
9 answers

The problem was that for $canvas_page I used the canvas URL (e.g. mysite.com/canvas) instead of the canvas page URL (e.g. apps.facebook.com/myapp).

+2
source

I think you need to add "& response_type = token" to your authentication url:

https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&response_type=token

Then you return what looks like this:

http://apps.facebook.com/APP_NAME/#access_token=YOUR_APP_ID%YADA_YADA_YADA0&expires_in=3948

And you can extract it using Javascript:

 if (window.location.hash.length == 1) { var accessToken = window.location.hash.substring(1); }
+2
source

Facebook uses a code parameter to authenticate your application. The documentation states:

* If the user clicks Allow, your application is authorized. The OAuth dialog redirects (via HTTP 302) the user's browser to the URL that you passed in the redirect_uri parameter with the authorization code *

To complete authorization, you must now enter the code parameter and your application in a secret state and pass it to the endpoint of the GUI API marker (rephrasing the documentation). This will give you access to the access token. From now on, your application will not request a code parameter for this user, as they have already been authenticated.

Facebook uses signed_request to share information with your application. The documentation indicates three scenarios in which it will transmit a signed request. It:

  • The signed_record is sent to the applications on Facebook.com when they are uploaded to Facebook.
  • Signed_request is passed to any application that has registered a deauthorized callback in the developer application when this user uninstalls the application using the application panel
  • The signed_record is sent to applications that use the registration plugin when the user successfully logs in using his application

Thus, the code parameter is sent only for authentication of the application, and signed_request is used to transmit information after authorization of the application.

+1
source

Saj - and this is very correct. I fought too much with this. When setting redirect_uri to my domain name, I got an infinate redirect loop. When setting up redirect_uri to the facebook app url, I got an error indicating that the url is not in my domain and therefore unavailable. It took a “/” at the end to solve this problem.

+1
source

I had the same problem with my canvas application, I fixed it by simply redirecting it to my canvas application URL if there is a code GET request parameter. After that, Facebook sends me a POST request containing the signed_request parameter, as expected. Here is a snippet of Django Python:

 if 'code' in request.GET.keys(): return HttpResponseRedirect(FACEBOOK_CANVAS_URL) # ...rest of your canvas handling code here
+1
source

I struggled with this problem (not getting the oauth identifier in signed_request and instead get the "code" after the user approves the application) for more than a week, and this post (and a few other posts) helped me get closer to resolving the problem (I used the URL application canvas address instead of the canvas url page in the redirect URI, and I did not specify the namespace in the settings).

After making these corrections, I encountered another problem when the application approval page will not be displayed for a new user, and instead facebook will display the message "the application has an error, etc." and finally, I realized that I do not have / at the end of the canvas page URL in my redirect URL. I used it as https://apps.facebook.com/myappname instead of https://apps.facebook.com/myappname/ in the redirect URL. Adding / at the end resolved the issue, and when a new user accessed my application using https://apps.facebook.com/myappname (if the user is already logged in) facebook shows an approval page (after receiving a response from my server), and as soon as the user approves the application, facebook sends a signed request with the required authorization code for my application. Hope this will be helpful to anyone who might run into the same problem.

0
source

Just to eliminate the confusion regarding the code parameter. Facebook will always send this parameter when the user permits the application. However, the signed_request parameter is sent using a message or some other method .. it is not sent to the URL. You can access it using $ _REQUEST ['signed_request']

0
source

I had a similar problem that was resolved when I assigned a namespace to my application, so it would look like apps.facebook.com/myapp, not apps.facebook.com/1234.

0
source

I am having a problem that you describe using firefox and third-party cookies are disabled.

I turned on third-party cookies, and then the signed_request was suddenly available.

0
source

More articles:


All Articles