18

I am getting a error:

 OmniAuth::Strategies::Facebook::NoAuthorizationCodeError (must pass either a 
`code` parameter or a signed request (via `signed_request` parameter or a 
`fbsr_XXX` cookie)):

Its not coming all the time. Its coming once in a while, notified by airbrake.

There are lot of links for this on google search but not able to find out a proper solution.. Anyone? omniauth.rb under initializers directory:

OmniAuth.config.logger = Rails.logger
Rails.application.config.middleware.use OmniAuth::Builder do
  provider :facebook, ENV['FACEBOOK_KEY'], ENV['FACEBOOK_SECRET'], {:client_options => {:ssl => {:ca_path => "/etc/ssl/certs"}}, :scope => 'user_about_me,email,publish_actions,user_location,publish_stream,offline_access,user_interests,user_likes,user_hometown', :display => 'popup'}      

  OmniAuth.config.on_failure = Proc.new do |env|
    #this will invoke the omniauth_failure action in SessionsController.
    "SessionsController".constantize.action(:omniauth_failure).call(env)
  end         
end

PS: I am using facebook javascript sdk with facebook-omniauth

Mohit Jain
  • 43,139
  • 57
  • 169
  • 274

6 Answers6

26

I recently encountered this error when also using the FB JS SDK with omniauth-facebook. I fixed it by sending the signed_request parameter with the GET as shown below:

$(document).bind("fb.loaded", function() {
  FB.getLoginStatus(function(response) {

    console.log('FB STATUS: ' + response.status);
    if(response.status == "connected") {

      console.log("FB AUTHED");

      location.href =
        '/auth/facebook/callback?' +
        $.param({ signed_request: response.authResponse.signedRequest })
      });

    }
  });
});

The scenario occurs when a user visits your site when already logged into FB but not your site. One often needs to sign the subsequent request to the omniauth callback:

Request URL:
http://localhost:3000/auth/facebook/callback?signed_request=QXZa2TPs8JiSgSAQkrS7Y7ObPZQDYLcU_JNvD6Wru_o.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUURjQXdZUdVOMEFmd1RCbjRDQWp4eHpKcWRoRllOS1owLVZpa2pKTUQxSU1UbHJzbmEyMVNUUUtOLWl6b1dJOXJVRWUyWTBNd3ViZ1JxcmZJQmVMRDNOREI2M1EwREtqVzJCeVxTU2ZMR1foWlVwOEVlX0dMVUtwYUlqcWlaQ2FSc1h5c0NBNHdyZDBxbk4taU1haWp2cVFIX19QdUhxaldFcUtYZDc1LS1oZmptcTg4QVVuemVJdDJ4S2VOd3VPZG9vOGtaQkZlZmctZ2FDMk9CNl8wZ24iLCJpc3N1ZWRfYXQiOjEzNTg5NzQ4NzMsInVzZXJfaWQiOiIxMDYwMTg4NyJ9`

If using AJAX, you would need something like this:

      $.get(
        '/auth/facebook/callback',
        { signed_request: response.authResponse.signedRequest },
        function(json) {
          alert("received logged in response");
      });
dimroc
  • 1,172
  • 1
  • 16
  • 26
  • 1
    This has worked for me, but I've also noticed that in my case the fbsr_XXX cookie was present, except that was prefixed with a space (e.g. " fbsr_XXX"), which is preventing the omniauth gem code from locating the data that should already be stored in the cookie. As to why the cookie key has a space, I'm not sure. I was under the impression the FB JS sets these cookies. – JZC Jun 18 '13 at 19:46
  • Could it have something to do with your browsers 3rd party cookie settings? – Jim Sep 11 '14 at 20:26
  • @dimrock tried this solution, and am passing the proper Request URL with a parsed `signed_request` param but still getting the error. Any thoughts? @JZC how do you see what your `fbsr_XXX` cookie is? – james Sep 12 '14 at 05:27
  • 1
    @james have you got the property "cookie: true" in your "FB.init" function? – lmmendes Oct 26 '14 at 11:08
  • 1
    Same issue as @james. Have appended the `signed_request` cookie. But still getting the error. And @JZC how to check `fbsr_xxx` has a space or not? – rAzOr Jan 16 '15 at 09:21
  • That would work with the JS SDK, but what about without it? Simply using Omniauth Facebook? – Augustin Riedinger Jul 27 '15 at 10:32
8

When you get the error

  • You will get this error if your app is in sandbox mode and you try to log in using real users which are not listed in the Developer Roles for your application . Once you create test users and use those instead, it will work.

  • You will also get this error in the opposite situation: you try to log in to your production app while being logged into facebook as a test user. You will get that error, and in my url I also get very clear information:

error_code=2102&error_message=User+is+not+a+test+user+owned+by+the+application

How to create test users

To create test users, click on Edit settings > Developer Roles in your application configuration at developers.facebook.com and click create on the Test users section. After creating the user, set the password clicking on Set Password and note down its facebook id which you can visualize when clicking modify. Then use those credentials to login to your app in sandbox mode.

deivid
  • 4,808
  • 2
  • 33
  • 38
  • 1
    Maybe my answer is not great although it worked for me. I don't mind the downvote, but it's nice if people explain the reasons of their downvotes so we can all learn something. – deivid Oct 08 '13 at 12:38
  • It actually also occurs when the person doesn't accepts the first app requirements in the FB interface. I'm just strugling to catch this error properly. – Augustin Riedinger Mar 11 '14 at 11:53
6

Just solved this same issue in my code by updating gems to:

gem "omniauth", "~> 1.1.1"
gem "omniauth-facebook", "~> 1.4.1"

That was really the crux of it. But in case you need it, my routes.rb setting:

match "/auth/failure" => redirect("/")

My omniauth.rb is

OmniAuth.config.on_failure = Proc.new { |env|
  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
}
Arman
  • 1,208
  • 1
  • 12
  • 17
  • 1
    getting an error ie: Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError – Mohit Jain Sep 21 '12 at 13:02
  • which versions of "oauth2" and "omniauth-oauth2" gems are you using? – Arman Sep 21 '12 at 21:06
5

I got the same error. I tried above solution but it didn't work for me. So I disable the sandbox mode and then it worked as I expected.

Sampath Munasinghe
  • 129
  • 1
  • 6
  • 4
    Just had the same thing occur; then I figured it out: If disabling Sandbox mode works for you it is because the Facebook account you're trying to authenticate is not listed in the Developer Roles for your application (https://developers.facebook.com/apps//roles). – nc. Jun 08 '13 at 01:39
0

Facebook has updated there API to v.2.0 which causes fb login errors to this. The solution is to have a Privacy policy page and put that link on the privay policy link under App Details in facebook developers site.

Jude Calimbas
  • 2,764
  • 2
  • 27
  • 24
0

Not setting cookie: true in FB.init will cause this problem.

bevanb
  • 8,201
  • 10
  • 53
  • 90