Authenticated Referrals and Auth Server Stream - What is redirect_uri?
From an authenticated referral (like from history history) to my site, I am trying to use the server side authentication flow to get an access token for a specified user. I need to pass my app secret, auth code and original redirect URI to Facebook endpoint. Since I have not initiated the authentication request, how do I determine the original redirect_uri?
The Facebook timeline link looks like this:
http://www.facebook.com/connect/uiserver.php?app_id=153644678059870&method=permissions.request&redirect_uri=http%3A%2F%2Fwww.wnmlive.com%2Fpost%2F141833948%3Ffb_action_ids%3D10100708033267487%26fb_action_types%3Dwnm-live%253Acomment%26fb_source%3Drecent_activity&response_type=code&display=page&auth_referral=1
So, I believe the redirect URI that I need to pass is:
http%3A%2F%2Fwww.wnmlive.com%2Fpost%2F141833948%3Ffb_action_ids%3D10100708033267487%26fb_action_types%3Dwnm-live%253Acomment%26fb_source%3Drecent_activity
The URI that the user is ultimately redirected to is:
http://www.wnmlive.com/post/141833948?fb_action_ids=10100708032119787&fb_action_types=wnm-live%3Apost&fb_source=recent_activity&code=AQALK-Mwb_Nwi4z7FWnFaL6tEXvNtVJiRKrgarG9X73sp22TJyk8v2GWKtuXuevJk4hPSRNnuNpEgZXLFdOS_k-pY-mE15DYytIa8Y7VdSw3VL-XYi-CR9BCqRQGq4uBJvSSdZayCp6MWzDMaNqWd5r8OhKVnOhg_yDlvfoLl21N2SMwkJaOfD5mlPnPb5A-Q4A#_=_
Is it safe to assume that I can just chop off everything starting with "& code =" and use that as the redirect URI?
According to a Facebook engineer, redirect_uri is the current URI before "& code =". The code will always be the final name / value string of the query string. I have also confirmed that this works.
Currently (August 23, 2012) Facebook adds parameters after code = example, http://apps.coincident.tv/newgirltalk/mobile/?ref=bookmarks;code=AQCZmt8n9NyfKNj8Ea9yzeCYCh-m6FcrbFqqnpQRYpfTwsO8DCk5E6CIbYig1I7g5RxDZxNs7pLcQZDdfjdLJy-8IE4BAW56VPNVADTIa9zxsFEVGLTCjfP7tuSNAIeNZdWecI53pQipnt4YpnawoRXDYVVylFZnWoVYdMtVCaOjZ5DUrN9VSByNVkV5ojOoCEY;fb_source=bookmark_favorites;count= 0; fb_bmpos = 4_0
Removing everything from the code = does not give an access token and does not only remove the code = ....; section.
This can be recreated by adding a Facebook bookmark pointing to your app, opening www.facebook.com in your mobile device browser, and then navigating to your app via the bookmark.
In addition to what Karl said, I have narrowed down the issue because of the specific ref parameter.
If you have an oauth enabled referral, I will not exchange a code for access_token
a specific number.
Examples:
- http://m.facebook.com/apps/App_name/?ref=bookmarks
- http://m.facebook.com/apps/app_name/?ref=m_notif
Those will not work with a referral, no matter which one redirect_uri
you use to create access_token
. There are probably other ref parameters that are not working.
This is very annoying because we do not have a mobile web application working with this problem
As Karl noted, additional parameters appear after the code. Unlike Carl, if I disable them and use the resulting url as the uri redirect, it works.
$redirecturi = $_SERVER['SCRIPT_URI'];
$delimiter = "?";
foreach ($_GET as $key=>$val) {
if ($key == "code") break;
$redirecturi .= $delimiter.$key."=".rawurlencode($val);
$delimiter = "&";
}
// now I can use $redirecturi to exchange the code for a token
http://developsocialapps.com/authenticated-referrals-facebook-apps/
I filed a bug on Facebook here: https://developers.facebook.com/bugs/141862359298314
If this still affects your application, follow the link.