Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

social_core.backends.facebook.FacebookOAuth2 should have REDIRECT_STATE set to False #141

Closed
kevingu1003 opened this issue Oct 18, 2017 · 3 comments
Closed

social_core.backends.facebook.FacebookOAuth2 should have REDIRECT_STATE set to False #141

kevingu1003 opened this issue Oct 18, 2017 · 3 comments

Comments

@kevingu1003
Copy link

kevingu1003 commented Oct 18, 2017
edited

I'm new to Facebook Oauth and actually new to the entire Oauth world, so this bug took me very long time to figure out.

Since I'm new I'm forced to use Facebook API v2.10.

When REDIRECT_STATE set to True, PSA will compose authentication url like following:

https://www.facebook.com/v2.10/dialog/oauth?scope=email&redirect_uri=http%3A%2F%2Fexample.com%2Fcomplete%2Ffacebook%2F%3Fredirect_state%3D1TIlS0FPkTctrPCQhgf2rdO3bawWvwdB&client_id=[client_id]&return_scopes=true&state=1TIlS0FPkTctrPCQhgf2rdO3bawWvwdB

And Facebook will reject such kind of url, gives error message like following:

Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings.

This the callback url configured on redirect URL doesn't allow redirect_state inside the URL, renders the authentication url invalid.

I'm not sure if older version of Facebook API allows this, but this is the case I'm encountering, and when I override the setting REDIRECT_STATE with a custom backend, Facebook allows me in.

Following is the entire code I'm using now with Facebook API v2.10:

from social_core.backends.facebook import FacebookOAuth2

class FacebookOAuth2Override(FacebookOAuth2):
    REDIRECT_STATE = False

And settings:

SOCIAL_AUTH_FACEBOOK_KEY = 'key'
SOCIAL_AUTH_FACEBOOK_SECRET = 'secret'
SOCIAL_AUTH_FACEBOOK_SCOPE = ['email', 'public_profile']
SOCIAL_AUTH_FACEBOOK_PROFILE_EXTRA_PARAMS = {
  'locale': 'en',
  'fields': 'id,name'
}

Please verify and fix, cheers.
@pszpetkowski
Copy link
Contributor

+1

pszpetkowski added a commit to pszpetkowski/social-core that referenced this issue Oct 28, 2017
@pszpetkowski
Update Facebook backend REDIRECT_STATE to False
0d99a81 
Fix python-social-auth#141
@pszpetkowski pszpetkowski mentioned this issue Oct 28, 2017
Merged
@omab omab closed this as completed in #147 Dec 22, 2017
omab pushed a commit that referenced this issue Dec 22, 2017
@pszpetkowski @omab
Update Facebook backend REDIRECT_STATE to False
de6b5cb 
Fix #141
omab pushed a commit that referenced this issue Dec 22, 2017
@pszpetkowski @omab
Update Facebook backend REDIRECT_STATE to False
c0968ff 
Fix #141
@tisdall
Copy link

tisdall commented Dec 22, 2017

@kevingu1003 - thank you for the fix!

@EralpB
Copy link

EralpB commented Mar 30, 2020

pardon me. can anyone point out the security vulnerabilities of not sending state parameter? is this open to CSRF attacks now? I'm thinking about enabling strict mode and redirect state False vs keeping strict mode off and sending state parameter.

no resources about this and this page is #1 at google results, can someone provide an explanation or link to a resource?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kevingu1003 @EralpB @tisdall @pszpetkowski