New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
social_core.backends.facebook.FacebookOAuth2 should have REDIRECT_STATE set to False #141
Comments
+1 |
pszpetkowski
added a commit
to pszpetkowski/social-core
that referenced
this issue
Oct 28, 2017
omab
pushed a commit
that referenced
this issue
Dec 22, 2017
omab
pushed a commit
that referenced
this issue
Dec 22, 2017
@kevingu1003 - thank you for the fix! |
pardon me. can anyone point out the security vulnerabilities of not sending state parameter? is this open to CSRF attacks now? I'm thinking about enabling strict mode and redirect state False vs keeping strict mode off and sending state parameter. no resources about this and this page is #1 at google results, can someone provide an explanation or link to a resource? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm new to Facebook Oauth and actually new to the entire Oauth world, so this bug took me very long time to figure out.
Since I'm new I'm forced to use Facebook API v2.10.
When
REDIRECT_STATE
set toTrue
, PSA will compose authentication url like following:https://www.facebook.com/v2.10/dialog/oauth?scope=email&redirect_uri=http%3A%2F%2Fexample.com%2Fcomplete%2Ffacebook%2F%3Fredirect_state%3D1TIlS0FPkTctrPCQhgf2rdO3bawWvwdB&client_id=[client_id]&return_scopes=true&state=1TIlS0FPkTctrPCQhgf2rdO3bawWvwdB
And Facebook will reject such kind of url, gives error message like following:
This the callback url configured on redirect URL doesn't allow
redirect_state
inside the URL, renders the authentication url invalid.I'm not sure if older version of Facebook API allows this, but this is the case I'm encountering, and when I override the setting
REDIRECT_STATE
with a custom backend, Facebook allows me in.Following is the entire code I'm using now with Facebook API v2.10:
And settings:
Please verify and fix, cheers.
The text was updated successfully, but these errors were encountered: