Devise integration with Facebook AppCenter

2
votes

I have an application which integrates with facebook via oauth2 devise/warden/omniauth. Everything works find and I am happy with it.

Now I'm trying to integrate the app with the new facebook appcenter, which basically seems to resolve into getting the user pre authenticated before he gest to my site.

Basically, the user ends on a url like 

/?fb_appcenter=1&code=xxxxxx

but devise' omniauthcontroller is waiting on a different url, namely 

/users/auth/facebook/callback

I tried to perform a simple redirect carrying over the code query parameter to the callback url, but I get an "invalid credentials" error.

I believe the issue may be that the redirect_uri used in the call to get an access_token within the oauth2 facebook strategy does not correspond to the one used by facebook itself to generate the initial code, but I have no idea on how I am supposed to change that.

Anyone has suggestions or has solved this in the past?

For what is worth, I'm using an old version of devise (1.4) and omniauth (0.3) but a hint of what the general direction should be, even if with newer versions, would be good enough.

2
ruby-on-railsfacebookdeviseomniauth

2 Answers

0
votes

When exchanging the code for a token, where the code was created in an authenticated referral, the redirect_uri value needs to be the same URL the user was brought to. There's a note to this effect on the App Center documentation:

A special consideration when using the Query String setting:

If you would like to use the server-side authentication flow with App Center it is important to make sure you are passing the redirect_uri parameter correctly when exchanging your code for an access token. You should set your redirect_uri parameter to the click-through URL to your site. In most cases the URL will look something like:

http://www.example.com/?fb_appcenter=1&fb_source=search&code=CODE_HERE thus you should set your redirect_uri to the same value. Please make sure that this logic is dynamic as the query parameters appended to your click-through URL may be subject to change.

0
votes

well it turns out this is impossible with old versions of omniauth, since redirect_uri is hardcoded, but a reasonable trick is to just redirect the user to the standard auth callback (e.g. /auth/facebook/callback).

This will authenticate the user again, but since he already gave you credentials it will just get through.

The alternative, and what I endd up doing, is to just get the code from OA's facebook strategy and reimplement a bit of the OAuth2 functionality, basically exchanging the code with an access token, in the landing page you are using.