Authenticated Referrals & Server-Side Auth Flow - What is the redirect_uri?

3
votes

From an authenticated referral (such as from a timeline story) to my website, I am trying to use the server-side authentication flow to obtain an access token for the referred user. I need to pass my app secret, the auth code, and the original redirect URI to the Facebook access token endpoint. Since I did not initiate the authentication request, how do I determine the original redirect_uri?

The link from the Facebook timeline looks like:

http://www.facebook.com/connect/uiserver.php?app_id=153644678059870&method=permissions.request&redirect_uri=http%3A%2F%2Fwww.wnmlive.com%2Fpost%2F141833948%3Ffb_action_ids%3D10100708033267487%26fb_action_types%3Dwnm-live%253Acomment%26fb_source%3Drecent_activity&response_type=code&display=page&auth_referral=1

So I figure that the redirect URI I need to pass is:

http%3A%2F%2Fwww.wnmlive.com%2Fpost%2F141833948%3Ffb_action_ids%3D10100708033267487%26fb_action_types%3Dwnm-live%253Acomment%26fb_source%3Drecent_activity

The URI that the user is ultimately redirected to is:

http://www.wnmlive.com/post/141833948?fb_action_ids=10100708032119787&fb_action_types=wnm-live%3Apost&fb_source=recent_activity&code=AQALK-Mwb_Nwi4z7FWnFaL6tEXvNtVJiRKrgarG9X73sp22TJyk8v2GWKtuXuevJk4hPSRNnuNpEgZXLFdOS_k-pY-mE15DYytIa8Y7VdSw3VL-XYi-CR9BCqRQGq4uBJvSSdZayCp6MWzDMaNqWd5r8OhKVnOhg_yDlvfoLl21N2SMwkJaOfD5mlPnPb5A-Q4A#_=_

Is it safe to assume that I can just chop off everything starting with the "&code=" and use that as the redirect URI?

5
facebookoauth-2.0facebook-oauth

5 Answers

2
votes

According to a Facebook engineer, the redirect_uri is the current URI up until the "&code=". The code will always be the final query string name/value pair. I have also verified that this works.

0
votes

Currently (Aug 23 2012) Facebook is adding parameters after the code= , for instance, http://apps.coincident.tv/newgirltalk/mobile/?ref=bookmarks;code=AQCZmt8n9NyfKNj8Ea9yzeCYCh-m6FcrbFqqnpQRYpfTwsO8DCk5E6CIbYig1I7g5RxDZxNs7pLcQZDdfjdLJy-8IE4BAW56VPNVADTIa9zxsFEVGLTCjfP7tuSNAIeNZdWecI53pQipnt4YpnawoRXDYVVylFZnWoVYdMtVCaOjZ5DUrN9VSByNVkV5ojOoCEY;fb_source=bookmark_favorites;count=0;fb_bmpos=4_0

Deleting everything from code= doesn't yield an access token, nor does carefully deleting just the code=....; section.

This can be recreated by adding a Facebook bookmark pointing to your app, opening www.facebook.com in your mobile device browser, and then going to your app via the bookmark.

0
votes

In addition to what Carl said, I narrowed the issue to be because of specific ref parameter.

If you have referral oauth enabled, I'll be unabled to exchange the code for an access_token with specific ref.

Examples:

Those will not work with referral oauth no matter what redirect_uri you use for generating the access_token. There are probably other ref parameters that doesn't work.

It's very annoying because we can't have mobile web app working with this issue

0
votes

As Carl pointed out, there are additional parameters after code. Unlike Carl, if I strip those off and use the resulting url as the redirect uri, it works.

$redirecturi = $_SERVER['SCRIPT_URI'];
$delimiter = "?";
foreach ($_GET as $key=>$val) {
    if ($key == "code") break;
    $redirecturi .= $delimiter.$key."=".rawurlencode($val);
    $delimiter = "&";
}
// now I can use $redirecturi to exchange the code for a token

http://developsocialapps.com/authenticated-referrals-facebook-apps/

0
votes

I filed a bug on Facebook here : https://developers.facebook.com/bugs/141862359298314

If this still affects your app, please go subscribe.