By Eric Schreiner | Posted on February 15, 2018
What are Facebook's new security requirements?
There are two new requirements you need to be concerned about:
Beginning in March 2018, all OAuth apps will need to have a Valid OAuth redirect URIs list, and redirects will only be accepted for URIs that are explicitly included on that list. For example, if https://greg-stemp.rpxnow.com/facebook/callback is the only URI on the list then redirects to https://greg-stemp.rpxnow.com/facebook/callback/tokens or https://greg-stemp.rpxnow.com/facebook/callback/redirects will no longer be allowed. If your app references a URI that is not on the approved list, login will fail:
How to verify compliance with Facebook's new security requirements
To verify whether or not your Facebook app is compliant with the new security requirements, complete the following procedure:
1. Log on to the Facebook for Developers center
2. From the Facebook for Developers home page, click My Apps and then click the name of the app you use for social logins:
3. From the Dashboard for your app, click Facebook Login:
4. Verify that your Facebook redirect URI (or URIs) is listed in the Valid OAuth redirect URIs list and that Use Strict Mode for URIs is set to Yes:
If both of these criteria are true, then you should have nothing to worry about. However, if the Valid Oauth redirect URIs list is blank and if you see the following warning notices about OAuth redirect URIs, then you have more work to do.
Updating your app to comply with Facebook's new security parameters
To update your app, and to bring it into compliance with strict URI matching, complete the following procedure:
1. Log in to the Facebook for Developers center, and proceed to My Apps / Facebook Login (steps 1-3 above).
2. In the Valid OAuth redirect URIs field, type the redirect URI for your website and then press ENTER:
Your redirect URI will typically have the format https://engage-app-name.rpxnow.com/facebook/callback. For example, if your Engage app has the name my--test-app, your redirect URI would be https://my-test-app.rpxnow.com/facebook/callback. If you have questions about your redirect URI, contact your Janrain representative - we're happy to help!
If you have more than one redirect URI, type each URI in the Valid Oauth redirect URIs field. You can enter additional URIs by clicking in the Valid Oauth redirect URIs field, typing a URI, and then pressing ENTER. URIs can be removed from the list by clicking the X at the end of the URI:
3. After you have entered your redirect URIs, click Use Strict Mode for Redirect URIs.
4.Click Save Changes.
Checking your work
After making these changes, you can validate a redirect URI by completing the following procedure:
1. From the Client OAuth Settings page, type the redirect URI into the Redirect URI to Check field.
2. Click Check URI. If the redirect URI works, you’ll see a message similar to this:
Note that this test does not verify that this is the correct redirect URI for your domain; it simply verifies that the URI appears in the list of OAuth redirect URIs. To verify that this is the correct redirect URI for your site, try logging on to the site by using a Facebook account.
For more information, see the Facebook for Developers article Enhanced Security for Facebook Login with Strict URI Matching.
How to tell if your identity management is ready for the new data protection regulations…
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…