18

I have been working on setting up facebook authentication for my rails app and while testing, after logging-in with my facebook account, I keep getting this error:

OAuth2::Error:
{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100}}

I'm not really sure where to begin with this, but can't seem to find anything else online about it. Any guidance would be appreciated, happy to provide more info if it would be useful.

akjoshi
  • 15,374
  • 13
  • 103
  • 121
Alex Stein
  • 211
  • 2
  • 6
  • Same thing just started happening to me about 3hours ago. I'm Using omniauth-facebook 1.4.0 Can't find anything about this error... Tried clearing cookies, resetting FB.app secret etc no luck – Zarne Dravitzki Jul 10 '12 at 06:52
  • Same problem here. Suddenly began a couple of hours ago. – Claude Schlesser Jul 10 '12 at 06:59
  • I can also confirm this is happening for me too, and with different authorization codes, so something has broke. – Gav Jul 10 '12 at 07:05
  • 1
    This is reported here - https://developers.facebook.com/bugs/461571897194273 – Rajat Garg Jul 10 '12 at 09:26
  • Same problem here since this morning: `[DEBUG] Koala::Facebook::APIError => #` – Darme Jul 10 '12 at 10:50
  • I just started testing this today i'm getting this error though, not sure if it's the same. {"error": {"message":"Code was invalid or expired. Session is invalid. This could be because the application was uninstalled after the session was created.", "type":"OAuthException","code":100 }} – Zoidberg Jul 10 '12 at 17:14

6 Answers6

17

I had this issue as well. I was seeing the "(facebook) Callback phase initiated." message twice in my Rails logs. It turns out that I was initializing FB authentication twice (I am using Devise and Omniauth-Facebook), and I'm guessing one of these was attempting to reset the access token.

Disabling the initializer in Omniauth-Facebook (config/initializers/omniauth.rb) fixed my issue.

imgrgry
  • 628
  • 1
  • 5
  • 11
7

This is due to Facebook changes that have been optional up until now but will roll out 12/5/12 for everyone. From the Developer Roadmap for the Dec '12 breaking changes:

New security restrictions for OAuth authorization codes We will only allow authorization codes to be exchanged for access tokens once and will require that they be exchanged for an access token within 10 minutes of their creation. This is in line with the OAuth 2.0 Spec which from the start has stated that "authorization codes MUST be short lived and single use". For more information, check out our Authentication documentation.

You'll need to update your app to account for this.

Cheers

Madbreaks
  • 19,094
  • 7
  • 58
  • 72
  • what does this change mean exactly? you can't repeat the same query twice? – user749798 Dec 06 '12 at 21:40
  • 3
    It means that when you first get an `access_token` for a user, you need to store it and then explicitly set it the next time the user needs to interact with the FBAPI: `$facebook->setAccessToken($theToken);` – Madbreaks Dec 06 '12 at 22:02
  • 2
    I had this issue as well. It turns out that I was initializing FB authentication twice (using Devise and Omniauth-facebook), and I'm guessing one of these was attempting to reset the access token. Disabling the initializer in Oauth-fb fixed my issue. – imgrgry Dec 07 '12 at 11:57
  • @imgrgry I think your comment should really be an answer. That helped me, thanks! – Michał Szajbe Dec 07 '12 at 15:33
2

This bug occurred just after the last facebook push and has been reported to facebook just this morning.

So I guess we just have to wait and, in the meantime, post more details to this report and follow it to both help and solicit facebook folks to solve this issue!

Darme
  • 6,984
  • 5
  • 37
  • 52
  • Please see my answer, below – Madbreaks Dec 03 '12 at 19:05
  • 1
    Please note that my answer is in reference to a bug occurred July the 10th 2012 and solved shortly after, if you are still having this problem you should really check for a more recent answer by others. – Darme Jan 17 '13 at 11:10
1

I was incorrectly initializing OmniAuth twice, calling config/initializers/omniauth.rb twice.

This would add OmniAuth::Builder twice to the middleware stack. With recent Facebook changes, this started failing with error 100.

Making sure OmniAuth::Builder got added once I managed to solve this issue.

To double check your middleware stack, run this:

rake middleware
etagwerker
  • 523
  • 4
  • 15
1

I had the same problem and finally found what was the issue in my case. So for those, who has this problem and uses just Omniauth without Devise, the root cause of the problem might be in an incorrect route for redirection.

  1. Check you server development.log
  2. Find where it redirects (grep by "Redirected to")
  3. Here is the main point: Check in the log if the callback URL is correct

In my case, in routes.rb I had, for example:

get "mycontroller/home"

which is okay, but in my SessionController I also had:

def create
    auth_hash = request.env['omniauth.auth']
    user = User.from_omniauth(auth_hash)
    session[:user_id] = user.id
    redirect_to "mycontroller/home"
end

So I made it working by changing this line in the controller from:

redirect_to "mycontroller/home"

to 

redirect_to "/mycontroller/home"
dehumanizer
  • 1,250
  • 12
  • 15
0

So I was able to work around this. It seems that my application was processing the facebook authentication, then trying to do it a second time and producing this error. Strange since I was trying to redirect to root_url. In any case, changing the page that I was redirecting to from "root_url" to "/" after storing the user info in my database seemed to make all the difference.

I would suggest checking your development log to see if you're getting a similar error.

Alex Stein
  • 211
  • 2
  • 6