Facebook requiring https on oauth callback

[ryan-wong]

This is facebook statement:

Earlier this year, we announced that we are requiring Facebook Login redirects to use HTTPS, and all Facebook JavaScript SDK calls that return or require an access token to occur only from HTTPS pages. HTTPS helps keep transmitted information private and helps protect the security of people using your site and Facebook Login. Additionally, “Enforce HTTPS” has been a requirement for Facebook Login for new apps created since March 2018. | Earlier this year, we announced that we are requiring Facebook Login redirects to use HTTPS, and all Facebook JavaScript SDK calls that return or require an access token to occur only from HTTPS pages. HTTPS helps keep transmitted information private and helps protect the security of people using your site and Facebook Login. Additionally, “Enforce HTTPS” has been a requirement for Facebook Login for new apps created since March 2018.

Earlier this year, we announced that we are requiring Facebook Login redirects to use HTTPS, and all Facebook JavaScript SDK calls that return or require an access token to occur only from HTTPS pages. HTTPS helps keep transmitted information private and helps protect the security of people using your site and Facebook Login. Additionally, “Enforce HTTPS” has been a requirement for Facebook Login for new apps created since March 2018.

So what can we change in library to accommodate for this? I can't add an SSL certificate since its a hybrid app not website.

[z--z---z-----]

I have analyzed the function oauthFacebook(clientId, appScope, options) in oauth.facebook.js and got to the conclusion that just passing {redirect_uri: "https://localhost/callback"} in the options paramenter should make the call work (note the https). And it did. I am not sure if there is an side effect I can't see here, but this is how I got to the conclusion:

1) The library builds an address like this (note I have hidden the client id, adding XxXx...): https://www.facebook.com/v2.6/dialog/oauth?client_id=XxXxXxXxXxXx&redirect_uri=https://localhost/callback&response_type=token&scope=email,public_profile,user_friends

2) Facebook is rejecting the call if redirect_uri is not https, but now I have added an https address.

3) Facebook process our request and will redirect to the address we specified with some parameters as response. Here is one response(note token is hidden:ToToTo): https://localhost/callback#access_token=ToToToTo&expires_in=6542&reauthorize_required_in=7776000&data_access_expiration_time=1549480258

4) Looking into the library code: browserRef.addEventListener('loadstart', function(event) { if((event.url).indexOf(redirect_uri) === 0) { browserRef.removeEventListener("exit",function(event){}); browserRef.close(); var callbackResponse = (event.url).split("#")[1]; var responseParameters = (callbackResponse).split("&"); var parameterMap = []; for(var i = 0; i < responseParameters.length; i++) { parameterMap[responseParameters[i].split("=")[0]] = responseParameters[i].split("=")[1]; } It will just process the url that Facebook redirected us to and will pick up the response data. So it doesn't matter what the redirect_uri is, the page never opens, but the url gets processed.

There is a "requirement" in the library documentation that tells the redirect uri must be http://localhost/callback, which I don't understand, it does not appear to be a must.

[alexislg2]

Thank you. I solved the HTTPS issue by calling the facebook login like that:

return $cordovaOauth.facebook(
    settings.FACEBOOK_ID,
    ['email',],
    {
        redirect_uri:'https://localhost/callback'
    },
).then(onSuccess, onError);

I don't understand why this is not the default behavior. Why are we only the 2 of us to be concerned by this issue?

[prafull-agarwal]

Adding <allow-navigation href="http://localhost:8080/*"/> in config.xml works for me.

[ciekawy]

I think not much can be done really here - for the latest ionic 4 what works for me is: ionic serve --ssl --cordova --platform browser