Remove query string from redirect_uri on callback

[gioblu]

No description provided.

[mkdynamic]

Thanks for the PR. Can you explain what this is fixing?

[gioblu]

Hi, after a while debugging with byebug with a friend (that is the real genious, who found the solution), we found that the callback uri generated by the super call contains also the code parameter and for this reason facebook bounces (probably they switched to a different policy over callback uri??) in any case without parameter works. Hope someone will discover what happened facebook side.

[jakoss]

Yes, this PR fixes problem with logging with newest version of facebook api

#220

[vemv]

Hey @gioblu, thanks for this fix. I'm using it.

It would be ideal though that the fix was backed by a test, else the PR is incomplete.

[mkdynamic]

If folks want to keep the querystring (i.e. they specify that in the Facebook app config) then this would break that, I think. Is that correct? I think perhaps it would be better to use the existing callback_url option and specify the callback_url to solve this issue... Thoughts?

[vemv]

Sounds good, but by default omniauth should 'just work' I believe! No config required

[jonatassalgado]

@mkdynamic I use with Devise and Rails, and I did what you suggested to configure callback_url, and work!

After some adjusts in Facebook > Settings, and adding the callback url to Valid OAuth redirect URIs.

After did this I received error csrf_detected, then adjust info_fields.

The result (in my case only in devise.rb):

config.omniauth :facebook, ENV['FACEBOOK_APP_ID'], ENV['FACEBOOK_APP_KEY'],
                  image_size: 'square',
                  scope: 'email, user_friends',
                  info_fields: 'name,email',
                  callback_url: 'http://www.mysite.com/users/auth/facebook/callback'

[robban]

Thanks, worked for me. I also had to add the info_fields: 'name,email' to the config since facebook does not seem to be sending email by default anymore.

[tyler-ament]

I had the same issue of this happening (today) without any of my code changing, and the fix detailed by @robban worked for me. Rails 4.2.4 app using Devise and OmniAuth.

[vemv]

I see that the recommended fix is trivial to add to one's project, but improving omniauth-facebook to work without this config needed seems easy too.

Having to add callback_url: 'http://www.mysite.com/users/auth/facebook/callback' kinda sucks because it's env-dependent, so it's more stuff one has to take care of.

[mkdynamic]

Thanks for the thoughts everyone, I'm sold this is a good fix -- agree things should work out the box. It is a backwards incompatible change, technically speaking, so it will make sense bump the major version when releasing. That seems like a good trade-off.

Could you add a test case to cover this? @gioblu

I'll try to get this merged and push a new release later this evening.

[mkdynamic]

Fix released in 3.0.0.

Thanks for the contribution @gioblu and feedback everyone else.