If you use Facebook social login for your site, you need to be aware of changes to Facebook’s security model that will take place in March 2018. If your Facebook app does not meet the new security requirements, users will no longer be able to log on to your site by using their Facebook accounts.
What are Facebook's new security requirements?
There are two new requirements you need to be concerned about:
- “Strict URI matching” will now be required for all redirect URIs. Facebook has always recommended that the redirect URIs used by a Facebook app appear in the app’s Valid OAuth redirect URIs list. However, up until now, Facebook has allowed apps without a valid OAuth list to accept tokens from any endpoint in their domain.
- “Prefix matching” will no longer be allowed. With prefix matching, any URI prefixed by a URI that is shown on the Valid OAuth redirect URIs list was acceptable. For example, if https://my-test-app.rpxnow.com/facebook/callback was on the Valid OAuth redirect URIs list, Facebook would also accept redirects to URIs like https://my-test-app.rpxnow.com/facebook/callback/tokens or https://my-test-app.rpxnow.com/facebook/callback/redirects.
[RELATED: For more information on OAuth and Facebook logins, see our Create, Issue, and Validate OAuth 2.0 Tokens with Akamai API Gateway blog post.]
Beginning in March 2018, all OAuth apps will need to have a Valid OAuth redirect URIs list, and redirects will only be accepted for URIs that are explicitly included on that list. For example, if https://greg-stemp.rpxnow.com/facebook/callback is the only URI on the list then redirects to https://greg-stemp.rpxnow.com/facebook/callback/tokens or https://greg-stemp.rpxnow.com/facebook/callback/redirects will no longer be allowed. If your app references a URI that is not on the approved list, login will fail.
How to verify compliance with Facebook's new security requirements
To verify whether or not your Facebook app is compliant with the new security requirements, complete the following procedure:
1. Log on to the Facebook for Developers center
2. From the Facebook for Developers home page, click My Apps and then click the name of the app you use for social logins
3. From the Dashboard for your app, click Facebook Login.
4. Verify that your Facebook redirect URI (or URIs) is listed in the Valid OAuth redirect URIs list and that Use Strict Mode for URIs is set to Yes.
If both of these criteria are true, then you should have nothing to worry about. However, if the Valid OAuth redirect URIs list is blank and if you see the following warning notices about OAuth redirect URIs, then you have more work to do.
Updating your app to comply with Facebook's new security parameters
To update your app, and to bring it into compliance with strict URI matching, complete the following procedure:
1. Log in to the Facebook for Developers center, and proceed to My Apps / Facebook Login (steps 1-3 above).
2. In the Valid OAuth redirect URIs field, type the redirect URI for your website and then press ENTER.
Your redirect URI will typically have the format https://engage-app-name.rpxnow.com/facebook/callback. For example, if your Engage app has the name my--test-app, your redirect URI would be https://my-test-app.rpxnow.com/facebook/callback. If you have questions about your redirect URI, contact your Identity Cloud specialist; we're happy to help!
If you have more than one redirect URI, type each URI in the Valid OAuth redirect URIs field. You can enter additional URIs by clicking in the Valid OAuth redirect URIs field, typing a URI, and then pressing ENTER. URIs can be removed from the list by clicking the X at the end of the URI.
3. After you have entered your redirect URIs, click Use Strict Mode for Redirect URIs.
4. Click Save Changes.
Checking your work
After making these changes, you can validate a redirect URI by completing the following procedure:
1. From the Client OAuth Settings page, type the redirect URI into the Redirect URI to Check field.
2. Click Check URI.
Note that this test does not verify that this is the correct redirect URI for your domain; it simply verifies that the URI appears in the list of OAuth redirect URIs. To verify that this is the correct redirect URI for your site, try logging on to the site by using a Facebook account.
For more information on OAuth and Facebook logins, see our Create, Issue, and Validate OAuth 2.0 Tokens with Akamai API Gateway blog post.
Finally, I encourage you to check out Akamai's OAuth Management API.
Eric Schreiner is a senior product manager at Akamai Technologies.