I built a website with Ruby on Rails and want to use the facebook login. Using the Ominauth-Facebook gem, I am enable to log in on my computer. But when several friends tested it, they all got the error in Chrome(similar to Safari saying “Refused to display document because display forbidden by X-Frame-Options"):
It's odd because it works well in all browsers in each device of mine(desktop, iphone and laptop). On my rails config, I already set
config.action_dispatch.default_headers[:'X-Frame-Options'] = "ALLOW-FROM https://www.facebook.com"
Anything I probably missed?Thanks!
Update: the errors won't show up again if my friend somehow signed in successfully once. Even when he logout from FB and sign in on my sites. I think that's why it works all good for me
This happens because Facebook doesn't want to users enter their authentication data in iframe on another site. It's done for security purposes. To avoid this you can try add to your link:
:target => "_top"
I got this error on the facebook canvas, In order to stop this occuring i had to remove all of the loginurl parameters, im using the php sdk.
$loginUrl = $facebook->getLoginUrl();
When i try to add scope, redirect_uri it fails with the error seen in the question. I checked everything matches up on the scope to the app settings and still no joy, cannot apply any parameters. However, without the parameters my app is able to authenticate.
Related
I don't think this issue is specific to PyDrive, but rather Google OAuth. However, some of the solutions I've seen on stackoverflow don't seem to be transferable over to my PyDrive application, which is just a python script to upload files programmatically to a shared drive. It worked fine 2 months ago but I tried to rerun it today and it's not working. Here is the error I'm getting:
Authorisation Error
Error 400: invalid_request
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.
You can let the app developer know that this app doesn't comply with one or more Google validation rules.
Request Details
The content in this section has been provided by the app developer. This content has not been reviewed or verified by Google.
If you’re the app developer, make sure that these request details comply with Google policies.
redirect_uri: urn:ietf:wg:oauth:2.0:oob
I am using a web application OAuth 2.0 Client ID creds on GCP. All secrets are stored in a local client_secrets.json file.
I run my script, it sends a message to the console that says
Go to the following link in your browser:
https://accounts.google.com/o/oauth2/auth?client_id=blahblahblah.apps.googleusercontent.com&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&access_type=offline&response_type=code
Enter verification code:
How it used to work: After I click the link above, it returns a code I paste into the console and then its authenticated. FYI: I plan on running this 24/7 on a remote server.
Now: I click the link above and get the error I posted above. I've tried to change the redirect uri to 127.0.0.1 and it does allow me to auth, then I get a code in my URL, but once I copy that and paste it into the console, I get more errors.
Anyone know the solution for this?
I am working on a new app and am installing it manually by typing the URL into my web browser. This is properly bringing me to my Shopify store and is displaying the permissions screen as desired; however, when I click the 'Install app' button, I receive a page that says there is an Untrusted Connection. The URL in the browser reads:
https://.myshopify.com.myshopify.com/admin/oauth/authorize?client_id=&scope=read_customers,write_orders&redirect_uri=;
Note that the myshopify.com portion of the URL is repeated twice and the user is not sent to the redirect URI I specified.
What could be going wrong here? How can I fix this issue? Shopify doesn't really offer much in the form of support. Any help would be appreciated.
I figured this out. Shopify's documentation on Oauth is incorrect. Here is the documentation page: https://docs.shopify.com/api/authentication/oauth#asking-for-permission
Shopify says to use the following code when requesting that a user grant permissions to your app:
https://{shop}.myshopify.com/admin/oauth/authorize?client_id={api_key}&scope={scopes}&redirect_uri={redirect_uri}
The 'shop' variable is sent to the app from Shopify via a query string. The 'shop' variable includes the '.myshopify.com' portion of the URL. As such, that portion needs to be removed. The new line is:
https://{shop}/admin/oauth/authorize?client_id={api_key}&scope={scopes}&redirect_uri={redirect_uri}
I setup my credentials for using google oauth2 as a method of signing up. Works fine locally, but when I try and signup on the staging site I get a "redirect_uri_mismatch" error. Even after I copy and paste the url its complaining about into the redirect uris section. I am at my wits end and have almost thrown my laptop across the room several times. Help would be appreciated since google support is non-existent.
Double check on the google console. On the cloud console under APIs & Auth -> Credentials, click the Create New Client ID red button. Make one for a web application. You may have to come back and edit it in order to get the redirect/callback uri set up correctly.
Have you tried dropping the port?
http://example.com/users/auth/google_oauth2/callback
I had the same issue using http://localhost:9000 ...
If nothing works and no redirect_uri was provided when initiating the Google client, try using postmessage in the redirect_uri field.
I code rails, and I have to change the Oauth2 redirect uri in the google console, as well as my own code:
In development:
OAUTH2_REDIRECT: http://local.domain:3000/users/auth/google_oauth2/callback
In production:
OAUTH2_REDIRECT: http://example.com:3000/users/auth/google_oauth2/callback
I've learned The Hard Way to make sure these config vars are right everywhere.
I have an app that already successfully uses google oauth, but now I am trying to setup a staging deployment. It is a rails app with devise and omniauth, but I think there might be a problem with how I configured Google.
In the google api admin panel (https://code.google.com/apis/console) I can see the existing app. I created another one with a different callback url (because it is staging). Using Postman (a fancy way to edit the url parameters) I can send a get request to google with the current production client_id and redirect_url and it works fine. When I copy and paste in the new clients (staging's) client_id and redirect_url I always get the error Error: invalid_client.
I'm sure where to start with trying to the figure out the problem, but I've tried a lot of different steps, renaming the urls, changing the client secret, or recreating the client in the admin panel. Any ideas? This error is rather cryptic.
We had a temporary issue with a small set of client ids. The issue should be resolved. If you are still having problems please follow up.
I'm trying to make a Facebook page tab where people can vote for their favorite video or music track from a bunch of embedded files. I need to get a unique ID from each user to make sure that they can only vote once. The signed_request only contains the user's id if they have authorized my app.
I have tried to have users authorize my app using the FB.login() javascript api, but I get the error:
An error occurred with Remix // Rework Vote. Please try later
API Error Code: 191
API Error Description: The specified URL is not owned by the application
Error Message: Invalid redirect_uri: Given URL is not permitted by the application configuration.
As far as I know, I have not set any redirect URL. Do I need to set this somewhere, or is this the not right approach to get a user to authenticate my page tab?
You must specify both "Site URL" (or "Mobile Web URL") and "App Domain" to use OAuth flow...
See where to fill the details on https://developers.facebook.com/docs/authentication/#redirect-uris
So I managed to get this to work by ticking "App on Facebook" in the app settings, and setting the Canvas URL and Secure Canvas URLs to be the same as the Page Tab URL equivalents.
This worked even though this isn't a full app, it's only a page tab, and it won't function as an app unless it's in a container page.
I'm guessing this is a bug in Facebook - the UI implies that you can have a page tab only app. The documentation doesn't say you can't, and I can't think of a good technical reason for it not to condsider a page tab URL as a valid URL.
Thanks to #julio-santos for pointing me at Facebook - Error Message: redirect_uri is not owned by the application, which seems to be the same problem in a slightly different context.