OAuth breaks, but only when users come from HTTP, HTTPS works well

advertisements

I'm trying to get an auth token for a user using OAuth.

Everything works fine and I'm getting the token wonderfully when the users tries to access the app using HTTPS, meaning from https://apps.facebook.com/APPNAME . However, if the user is coming from HTTP (which most users are) I get a 400 error from facebook when trying to get:

https://graph.facebook.com/oauth/access_token?code=XXXXXXXX-XXXXXX-XXXXXXXXX&client_secret=YYYYYYYYYYYYYYYYYYYYY&redirect_uri=https://fb.myapp.com/fb_connect/&client_id=ZZZZZZZZ

{
   "error": {
      "message": "Error validating verification code.",
      "type": "OAuthException"
   }
}

Why is this happening?


We have experienced a similar issues since Facebook began to require SSL certificates on apps.

  1. OAuth 2.0 works correctly with PHP SDK 3.1.1. If you are using earlier versions, go to GIT HUB and upgrade.

  2. However, even with 3.1.1, signed requests return NULL from http:// when Facebook users have not enabled secured browsing.

Solution is to 1. use javascript to add a redirect at the top of your script or 2. add a (a href =https://your app url*) link somewhere.

  1. There is a major flaw in FB as all of FB links in the left side page menu are http:// when user has not enabled secured browsing.