social-app-django: Can't get Facebook Strict Mode to work

facebook wrote in the documentation

For apps with dynamic redirect URIs, use the state parameter to pass back the dynamic information to a limited number of redirect URIs. Then add each of the limited redirect URIs to the Valid OAuth redirect URIs list. https://developers.facebook.com/docs/facebook-login/security/#strict_mode

In class FacebookOAuth2(BaseOAuth2) (version 1.5) we have unset REDIRECT_STATE attribute, which overridden as True which cause redirect_state parameter in facebook complete url.

1.7 is updated and now parameter is set by default: REDIRECT_STATE = False

Actually it’s required to have a feature to rename this attribute in settings like: SOCIAL_AUTH_FACEBOOK_REDIRECT_STATE_FIELD = 'state'

In my case allowed url was https://<domain>/complete/facebook/ without additional parameters

Overall, you can implement a custom FacebookOAuth2 with only REDIRECT_STATE = False as @merutak mentioned (for old versions).

Or to update to the last version, other possible errors: missing web server https config + django configuration, this case a redirect url will be composed with http which will not pass a check.

nginx proxy_set_header X-Forwarded-Protocol $scheme;

django settings SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

Here is how I setup facebook auth in my settings file:

AUTHENTICATION_BACKENDS = (
    ...
    'social_core.backends.facebook.FacebookOAuth2',
    ...
)

SOCIAL_AUTH_FACEBOOK_KEY = '<key>'
SOCIAL_AUTH_FACEBOOK_SECRET = '<secret>'
SOCIAL_AUTH_FACEBOOK_SCOPE = ['email']
SOCIAL_AUTH_FACEBOOK_PROFILE_EXTRA_PARAMS = {
    'fields': 'id,name,email',
}
SOCIAL_AUTH_FACEBOOK_API_VERSION = '2.11'

SOCIAL_AUTH_LOGIN_REDIRECT_URL = '/'
SOCIAL_AUTH_LOGIN_ERROR_URL = '/'
SOCIAL_AUTH_BACKEND_ERROR_URL = '/'

Facebook login URL: https://<domain>/login/facebook/?next=/
which redirects you to https://www.facebook.com/v2.11/dialog/oauth?scope=email&state=<state>&redirect_uri=https://<domain>/complete/facebook/&client_id=<client_id>&return_scopes=true
which redirects you to https://<domain>/complete/facebook/?granted_scopes=email%2Cpublic_profile&denied_scopes&code=<code>&state=<state>

Valid OAuth redirect uri in Facebook dev console app settings:

https://<domain>/complete/facebook/&client_id=<client_id>&return_scopes=true

The URL in Facebook dev console must match redirect_uri parameter of the https://www.facebook.com/v2.11/dialog/oauth... URL.

I didn’t want to upgrade python-social-auth. The only change I made eventually was this:

diff --git a/social/backends/facebook.py b/social/backends/facebook.py
index f76b502..1f764cd 100644
--- a/social/backends/facebook.py
+++ b/social/backends/facebook.py
@@ -28,6 +28,7 @@ class FacebookOAuth2(BaseOAuth2):
         ('id', 'id'),
         ('expires', 'expires')
     ]
+    REDIRECT_STATE = False
 
     def get_user_details(self, response):
         """Return user details from Facebook account"""

@IreliaCommitsU client_id is coming from your facebook api client settings. I don’t think there can be many of them.

Hi, I know this issue is closed but I didn’t understand the solution, So I just need to add this redirect URI to Facebook dev console app? https://<domain>/complete/facebook/&client_id=<client_id>&return_scopes=true

What do I set for <client_id> if they are many and I can’tknow them all?

@rzinurov thank you, that helped me too. I was using an old version as well, which became evident when comparing your redirect_url scheme to mine.

@rzinurov Could you please be more specific. Our redirect URIs generated by social auth only contains redirect_state parameter in the query. We haven’t found a way to set up our application on facebook to pass the strict mode. Addition of the client_id and return_scopes parameters doesn’t seem to help.