Play Framework appending #_=_ to redirect after Facebook auth via OAuth2?

Question

I'm doing a simple redirect after calling OAuth2::retrieveAccessToken() with Play Framework. I'm having funny characters appended to the URL that I never put there, so the end result looks as follows:

http://localhost:9000/#_=_

Where on earth does the #_=_ come from? Here's my route definition from the routes file:

GET / Application.index

Here's the code snippet of the controller dealing with the Facebook authentication:

public static void facebookConnect() {
    OAuth2 facebook = new OAuth2(
        "https://graph.facebook.com/oauth/authorize",
        "https://graph.facebook.com/oauth/access_token",
        "2#############6",
        "c##############################2"
    );

    if(OAuth2.isCodeResponse()) {
        OAuth2.Response oauthResponse = facebook.retrieveAccessToken(facebookAuthUrl());
        if(oauthResponse.error == null) {
            //... Somewhere here, something is causing #_=_ to be appended to the URL?
            Application.index();
        }
    }
    facebook.retrieveVerificationCode(facebookAuthUrl());
}

EDIT:

According to this page, Facebook changed their API recently to include the = if request_uri is empty, the problem is...my request_uri has been explicitly set?

Just tried running the facebook-oauth2 sample that comes with the Play Framework download, and it does exactly the same, appending #_=_ after redirecting. — josef.van.niekerk, Sep 10 '11 at 10:49
Add the following to your head tag to resolve this issue: `` — Safran Ali, Jan 03 '12 at 17:20
I've created a bug about this issue: http://bugs.developers.facebook.net/show_bug.cgi?id=20504 — kipusoep, Sep 12 '11 at 06:54
I have the same issue. I get the characters even if I fill in the redirect_uri. cheers! — despot, Sep 27 '11 at 10:25

score 21 · Accepted Answer · edited Sep 10 '11 at 22:42

21

This was added after a security update.

From the Facebook developer blog:

Change in Session Redirect Behavior

This week, we started adding a fragment #_=_ to the redirect_uri when this field is left blank. Please ensure that your app can handle this behavior.

edited Sep 10 '11 at 22:42

agf

171,228
44
289
238

answered Sep 10 '11 at 13:13

Alexcode

1,598
7
15

1

Description of the security vulnerability they solved with this: https://nealpoole.com/blog/2011/08/lessons-from-facebooks-security-bug-bounty-program/ – Juha Palomäki Jul 17 '13 at 15:59

score 1 · Answer 2 · answered Sep 07 '11 at 01:00

1

Maybe these characters come from the facebook callback. I was getting a FB callback like

localhost:9000?someparams#code=verylongcodefromfacebook

I could get rid of the # just by sanitizing the params before requesting the access token.

answered Sep 07 '11 at 01:00

alfonso.kim

2,844
4
32
37

The only param set is "code" which is needed for retrieveAccessToken, if I touch this, retrieveAccessToken will fail. – josef.van.niekerk Sep 10 '11 at 11:12

Play Framework appending #_=_ to redirect after Facebook auth via OAuth2?

2 Answers2

Linked

Related