-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot authenticate with client-initiated flow, fb signed request cookie is not read by ueberauth #41
Comments
I tried to pre-pend a Plug that would extract the code from the cookie and redirect to /auth/facebook/callback?code=<extracted_code>.
However this still fails because the jssdk iniated flow does not specify a redirect_uri and there is a mismatch:
Omniauth handles this by setting the request_uri to ''. There is also the question of the state params. |
Hello,
While navigating to /auth/facebook works fine, I cannot make a client side flow work properly.
The reason for preferring a client side flow is to authorize FB in a popup so that the user never leaves our site.
I have initialized the FB JS app with the app id and cookie set to true.
However in my case the failure callback is getting called on my auth controller because ueberath cannot find the code.
Line of code in current project
The issue is that ueberauth_facebook does not read the code from the fb signed request cookie in case it cannot find it in the params.
Omniauth extracts the authorization code from the cookie like this:
omniauth code that extracts code either from params or cookie
omniauth cookie parsing logic
The cookie value is Base64 encoded and signed with HMAC-SHA256.
Could this be done here as well to support the client-initiated flow?
Omniauth client side flow documentation
Thanks in advance,
Mark
The text was updated successfully, but these errors were encountered: