Facebook Provider problem

Question

Facebook Provider problem

bulente opened this issue 2 years ago · comments

Local logins work without a problem. I tried to add facebook provider.

Pressing Facebook button at /account/login page redirects to facebook and after successful authentication, it returns to my authority server with an url like this:

https://myserver/?code=somecode&state=somestate

and this page gives a 404 error without returning to the calling client page.

I tried almost any option in the provider setup page. My last configuration is like this:

Olivier Lefebvre · Answer 1 · Fri May 20 2022 23:55:51 GMT+0800 (China Standard Time)

The callback url configured on facebook should end with /signin-{providerId} for exemple https://myserver/signin-facebook

Bulent · Answer 2 · Sat May 21 2022 00:21:46 GMT+0800 (China Standard Time)

I tried /signin-facebook also. When it is like that, after successful login within facebook, it returns to my server like this:

https://myserver/signin-facebook?code=somecode&state=somestate and that page shows a 404 error without redirecting to calling client page.

I'm using Duende.IdentityServer

Olivier Lefebvre · Answer 3 · Sat May 21 2022 00:43:48 GMT+0800 (China Standard Time)

And your provider id is facebook right ? Put the log in debug mode and share it please.

Bulent · Answer 4 · Sat May 21 2022 00:46:02 GMT+0800 (China Standard Time)

Yes:

How to put the log in debug mode?

Olivier Lefebvre · Answer 5 · Sat May 21 2022 01:17:31 GMT+0800 (China Standard Time)

in the appsettings.json :

"Serilog": {
    "LevelSwitches": {
      "$controlSwitch": "Debug"
    },

Olivier Lefebvre · Answer 6 · Sat May 21 2022 01:54:51 GMT+0800 (China Standard Time)

Do you see the 404 in logs ?

Bulent · Answer 7 · Sat May 21 2022 03:03:33 GMT+0800 (China Standard Time)

No 404 in logs. Now when I pressed the Facebook button within the Admin UI application, it works. But if the login page is a result of an OWIN client request, it doesn't returns to that client and shows 404 page. Local Login works for that Owin client.

Olivier Lefebvre · Answer 8 · Sat May 21 2022 03:40:06 GMT+0800 (China Standard Time)

I guess the host is wrong then, double check it, it's looks like it do not return to your TheIdServer instance. The callback url should callback your identity server. Then the identity server callback to the app.

Bulent · Answer 9 · Sat May 21 2022 21:02:44 GMT+0800 (China Standard Time)

404 error is showing in TheIdServer URL page. Which callback setting do you mean? I'm try to implement this logic to an old ASP.NET MVC 4 application and here is my owin startup code:

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap = new Dictionary<string, string>();

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "oidc",
UsePkce = true,
ClientId = myclientid,
ClientSecret = myclientsecret,
Authority = mytheidserver,

#if DEBUG
RedirectUri = "https://localhost:44326",
#else
RedirectUri = my web client,
#endif

ResponseType = "id_token",
//ResponseType = "code",
//ResponseMode = "query",
Scope = "openid email",

UseTokenLifetime = false,
SignInAsAuthenticationType = "Cookies",
SaveTokens = true,

});

Olivier Lefebvre · Answer 10 · Sat May 21 2022 21:55:59 GMT+0800 (China Standard Time)

On Facebook Developers app you need to provide the redirect URI for your client, this is the callback url. In this case the client is your TheIdServer, facebook should redirect to your TheIdServer instance not to your MVC client directly. As you don't see a 404 entry in your TheIdServer log, it means the callback do not return to your TheIdServer instance, do you agree ? If it was redirected to an unknown page of TheIdServer, the admin app should display:

Bulent · Answer 11 · Sat May 21 2022 23:53:28 GMT+0800 (China Standard Time)

Here is my Provider latest setup:

Olivier Lefebvre · Answer 12 · Sat May 21 2022 23:59:01 GMT+0800 (China Standard Time)

Are you behind a proxy ? If we can not found the 404 request in the log, it's because the request is not processed by TheIdServer, do you agree ? Can you look for /signin-facebook in log ?

Bulent · Answer 13 · Sun May 22 2022 00:20:06 GMT+0800 (China Standard Time)

No, I'm not behind a proxy. Just use Burp to show the flow.

Only one entry containing "signin-facebook" :

https://myidserver/signin-facebook?code=somecode&state=somestate

URL gives 404 error. That means the server code can't find a matching route for this URL, isn't it? When this happens, is there a global error handling routine in the code and does it writes to log?

Olivier Lefebvre · Answer 14 · Sun May 22 2022 02:04:56 GMT+0800 (China Standard Time)

And what if you try to login with facebook using TheIdServer admin ?
What's the TheIdServer version you use ?

if you use SEQ, try to filter logs with : RequestPath = '/signin-facebook'

Olivier Lefebvre · Answer 15 · Sun May 22 2022 02:12:54 GMT+0800 (China Standard Time)

And your MVC application should use the Hybrid grant type, not Token exchange, nor Implicit, nor Client credentials

Olivier Lefebvre · Answer 16 · Sun May 22 2022 14:57:03 GMT+0800 (China Standard Time)

The theidserveradmin redirect uri should be : "https://auth.bebyaz.com/authentication/login-callback" ,"/signin-facebook" should not be used as redirect path for clients.

Drop the database. it'll recreate at startup. You probably have issue with stored security keys.

Bulent · Answer 17 · Mon May 23 2022 02:00:30 GMT+0800 (China Standard Time)

I found that the IIS was filtering the request because of long query string. Adding this to web.config solved the problem:

<configuration>
    <system.webServer>
      <security>
      <requestFiltering>
        <requestLimits maxQueryString="8192" />
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

Thank you for your support. I learned OAuth, OpenId flows and learning new things is always a joy :)