问题
From an authenticated referral (such as from a timeline story) to my website, I am trying to use the server-side authentication flow to obtain an access token for the referred user. I need to pass my app secret, the auth code, and the original redirect URI to the Facebook access token endpoint. Since I did not initiate the authentication request, how do I determine the original redirect_uri?
The link from the Facebook timeline looks like:
http://www.facebook.com/connect/uiserver.php?app_id=153644678059870&method=permissions.request&redirect_uri=http%3A%2F%2Fwww.wnmlive.com%2Fpost%2F141833948%3Ffb_action_ids%3D10100708033267487%26fb_action_types%3Dwnm-live%253Acomment%26fb_source%3Drecent_activity&response_type=code&display=page&auth_referral=1
So I figure that the redirect URI I need to pass is:
http%3A%2F%2Fwww.wnmlive.com%2Fpost%2F141833948%3Ffb_action_ids%3D10100708033267487%26fb_action_types%3Dwnm-live%253Acomment%26fb_source%3Drecent_activity
The URI that the user is ultimately redirected to is:
http://www.wnmlive.com/post/141833948?fb_action_ids=10100708032119787&fb_action_types=wnm-live%3Apost&fb_source=recent_activity&code=AQALK-Mwb_Nwi4z7FWnFaL6tEXvNtVJiRKrgarG9X73sp22TJyk8v2GWKtuXuevJk4hPSRNnuNpEgZXLFdOS_k-pY-mE15DYytIa8Y7VdSw3VL-XYi-CR9BCqRQGq4uBJvSSdZayCp6MWzDMaNqWd5r8OhKVnOhg_yDlvfoLl21N2SMwkJaOfD5mlPnPb5A-Q4A#_=_
Is it safe to assume that I can just chop off everything starting with the "&code=" and use that as the redirect URI?
回答1:
According to a Facebook engineer, the redirect_uri is the current URI up until the "&code=". The code will always be the final query string name/value pair. I have also verified that this works.
回答2:
Currently (Aug 23 2012) Facebook is adding parameters after the code= , for instance, http://apps.coincident.tv/newgirltalk/mobile/?ref=bookmarks;code=AQCZmt8n9NyfKNj8Ea9yzeCYCh-m6FcrbFqqnpQRYpfTwsO8DCk5E6CIbYig1I7g5RxDZxNs7pLcQZDdfjdLJy-8IE4BAW56VPNVADTIa9zxsFEVGLTCjfP7tuSNAIeNZdWecI53pQipnt4YpnawoRXDYVVylFZnWoVYdMtVCaOjZ5DUrN9VSByNVkV5ojOoCEY;fb_source=bookmark_favorites;count=0;fb_bmpos=4_0
Deleting everything from code= doesn't yield an access token, nor does carefully deleting just the code=....; section.
This can be recreated by adding a Facebook bookmark pointing to your app, opening www.facebook.com in your mobile device browser, and then going to your app via the bookmark.
回答3:
In addition to what Carl said, I narrowed the issue to be because of specific ref parameter.
If you have referral oauth enabled, I'll be unabled to exchange the code for an access_token with specific ref.
Examples:
- http://m.facebook.com/apps/App_name/?ref=bookmarks
- http://m.facebook.com/apps/app_name/?ref=m_notif
Those will not work with referral oauth no matter what redirect_uri you use for generating the access_token. There are probably other ref parameters that doesn't work.
It's very annoying because we can't have mobile web app working with this issue
回答4:
As Carl pointed out, there are additional parameters after code. Unlike Carl, if I strip those off and use the resulting url as the redirect uri, it works.
$redirecturi = $_SERVER['SCRIPT_URI'];
$delimiter = "?";
foreach ($_GET as $key=>$val) {
if ($key == "code") break;
$redirecturi .= $delimiter.$key."=".rawurlencode($val);
$delimiter = "&";
}
// now I can use $redirecturi to exchange the code for a token
http://developsocialapps.com/authenticated-referrals-facebook-apps/
回答5:
I filed a bug on Facebook here : https://developers.facebook.com/bugs/141862359298314
If this still affects your app, please go subscribe.
来源:https://stackoverflow.com/questions/9745233/authenticated-referrals-server-side-auth-flow-what-is-the-redirect-uri