search

jaliss / securesocial

A module that provides OAuth, OAuth2 and OpenID authentication for Play Framework applications
http://www.securesocial.ws
Apache License 2.0
1.19k stars 511 forks source link

Facebook oauth token format change causes error (suspected) #604

Closed pedalpete closed 7 years ago

pedalpete commented 7 years ago

It appears as though FB logins updated the oauth token format

https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {"access_token": {TOKEN}, "token_type":{TYPE}, "expires_in":{TIME}}. We made this update to be compliant with section 5.1 of RFC 6749. https://developers.facebook.com/docs/apps/changelog#v2_3

This has broken the (very old) version of securesocial we're running 2.1.4

I'm new to scala having recently taken over this project and am at a pretty big loss as to what I can do to get logins working again.

Any suggestions?

The error I'm getting locally is (I think this is the issue)...

[error] application - Unable to log user in. An exception was thrown
securesocial.core.AuthenticationException: null
    at securesocial.core.OAuth2Provider.doAuth(OAuth2Provider.scala:117) ~[securesocial_2.10-2.1.4.jar:2.1.4]
    at securesocial.core.IdentityProvider.authenticate(IdentityProvider.scala:75) ~[securesocial_2.10-2.1.4.jar:2.1.4]
    at securesocial.controllers.ProviderController$$anonfun$handleAuth$1.apply(ProviderController.scala:92) [securesocial_2.10-2.1.4.jar:2.1.4]
    at securesocial.controllers.ProviderController$$anonfun$handleAuth$1.apply(ProviderController.scala:88) [securesocial_2.10-2.1.4.jar:2.1.4]
    at play.api.mvc.ActionBuilder$$anonfun$apply$10.apply(Action.scala:221) [play_2.10-2.2.4.jar:2.2.4]
    at play.api.mvc.ActionBuilder$$anonfun$apply$10.apply(Action.scala:220) [play_2.10-2.2.4.jar:2.2.4]

The user class has 

authMethod: securesocial.core.AuthenticationMethod = securesocial.core.AuthenticationMethod(""),
  identityId: securesocial.core.IdentityId = securesocial.core.IdentityId("", ""),
  oAuth1Info: Option[securesocial.core.OAuth1Info] = None,
  oAuth2Info: Option[securesocial.core.OAuth2Info] = None,
  passwordInfo: Option[securesocial.core.PasswordInfo] = None,
  notifications: List[Notification] = Nil
  ) extends securesocial.core.Identity {
  def isAdmin: Boolean = is_admin == 1 || id == 500
  def getAvatarUrl(sz: Int = 80): String = s"https://www.gravatar.com/avatar/${Codecs.md5(email.getOrElse("").getBytes)}.png?d=${shared.controllers.RemoteAssets.getUrl("images/avatar-default.png")}&s="+sz
}
jaliss commented 7 years ago

@pedalpete I just fixed this in master and released a new milestone with the fix. Since you are using 2.1.4 I suggest you create a new Facebook provider that does not override buildInfo and register that instead of the build in one.

The code in OAuth2Provider parses the json as expected but we had a custom logic for Facebook because they were not following the spec.

pedalpete commented 7 years ago

Thanks for that jaliss, I appreciate the speedy response. I've got this working now.

jaliss commented 7 years ago

you're welcome @pedalpete