We Keep Coding

How do I fix Facebook OAuth OAuthException code 191?

I'm building an OAuth flow in a Firebase Function.
When a client tries to login through Facebook, I create an UUID for their flow, redirect them to the facebook login dialog in the browser with the above UUID as the value for the state parameter.
I expect the Facebook login dialog to come up, instead I get this error:
Authentication error: StatusCodeError: 400 - "{\"error\":{\"message\":\"Missing redirect_uri parameter.\",\"type\":\"OAuthException\",\"code\":191,\"fbtrace_id\":\"ASKnZNGGkKhI4UI5mBcX_zl\"}}"
I even tried adding quotes to the redirect_uri in my request
...&redirect_uri="<encoded_uri>"
which resulted in a different error:
Can't Load URL: The domain of this URL isn't included in the app's domains. To be able to load this URL, add all domains and subdomains of your app to the App Domains field in your app settings.
(So I'm guessing I don't need to enclose the parameter in quotes)
This is the url I'm redirecting to:
https://www.facebook.com/v5.0/dialog/oauth?client_id=[FACEBOOK_CLIENT_ID]&redirect_uri=https%3A%2F%2Fus-central1-bitblock-blast.cloudfunctions.net%2Foauth%2Fsignin%2Ffacebook%2Fcallback%2F&scope=public_profile&state=1da53893-ee5c-488d-be5c-c7913411c758
This is a version with request_uri not percent encoded just so you can see it clearly (I'M NOT USING THIS)
https://www.facebook.com/v5.0/dialog/oauth?client_id=[FACEBOOK_CLIENT_ID]&redirect_uri=https://us-central1-bitblock-blast.cloudfunctions.net/oauth/signin/facebook/callback/&scope=public_profile&state=1da53893-ee5c-488d-be5c-c7913411c758
I've tried opening it directly in the browser, but no luck, same errors.
As you can see, this is my callback endpoint
https://us-central1-bitblock-blast.cloudfunctions.net/oauth/signin/facebook/callback/
These are the domains I added in the app's console on Facebook under Settings > Basic
These are the settings and callback URIs I added under Products > Facebook Login > Settings
(As you can see I've tried every possible variation)
Here you can see my callback being verified as OK
(Notice that the following variations all work: "...callback/", "...callback", "...callback?state=XXX"
So I don't understand what I'm missing or doing wrong.
I am expecting to be redirected to the Facebook login dialog, and instead I keep getting that 'missing redirect_uri parameter' error.
EDIT: Just to make sure, the Facebook application is also Live.

facebook graph api node.js invalid appsecret_proof

this is my first post so please go easy on me!
I am a beginning developer working with javascript and node.js. I am trying to make a basic request from a node js file to facebook's graph API. I have signed up for their developer service using my facebook account, and I have installed the node package for FB found here (https://www.npmjs.com/package/fb). It looks official enough.
Everything seems to be working, except I am getting a response to my GET request with a message saying my appsecret_proof is invalid.
Here is the code I am using (be advised the sensitive info is just keyboard mashing).
let https = require("https");
var FB = require('fb');
FB.options({
version: 'v2.11',
appId: 484592542348233,
appSecret: '389fa3ha3fukzf83a3r8a3f3aa3a3'
});
FB.setAccessToken('f8af89a3f98a3f89a3f87af8afnafmdasfasedfaskjefzev8zv9z390fz39fznabacbkcbalanaa3fla398fa3lfa3flka3flina3fk3anflka3fnalifn3laifnka3fnaelfafi3eifafnaifla3nfia3nfa3ifla');
console.log(FB.options());
FB.api('/me',
'GET',
{
"fields": "id,name"
},
function (res) {
if(!res || res.error) {
console.log(!res ? 'error occurred' : res.error);
return;
}
console.log(res);
console.log(res.id);
console.log(res.name);
}
);
The error I am getting reads:
{ message: 'Invalid appsecret_proof provided in the API argument',
type: 'GraphMethodException',
code: 100,
fbtrace_id: 'H3pDC0OPZdK' }
I have reset my appSecret and accessToken on the developer page and tried them immediately after resetting them. I get the same error, so I don't think that stale credentials are the issue. My
console.log(FB.options())
returns an appropriate looking object that also contains a long hash for appSecretProof as expected. I have also tried this code with a number of version numbers in the options (v2.4, v2.5, v2.11, and without any version key). Facebook's documentation on this strikes me as somewhat unclear. I think I should be using v2.5 of the SDK (which the node package is meant to mimic) and making requests to v2.11 of the graph API, but ??? In any case, that wouldn't seem to explain the issue I'm having. I get a perfectly good response that says my appSecretProof is invalid when I don't specify any version number at all.
The node package for fb should be generating this appSecretProof for me, and it looks like it is doing that. My other info and syntax all seem correct according to the package documentation. What am I missing here? Thank you all so much in advance.

looks like you have required the appsecret_proof for 2 factor authorization in the advance setting in your app.
Access tokens are portable. It's possible to take an access token generated on a client by Facebook's SDK, send it to a server and then make calls from that server on behalf of the client. An access token can also be stolen by malicious software on a person's computer or a man in the middle attack. Then that access token can be used from an entirely different system that's not the client and not your server, generating spam or stealing data.
You can prevent this by adding the appsecret_proof parameter to every API call from a server and enabling the setting to require proof on all calls. This prevents bad guys from making API calls with your access tokens from their servers. If you're using the official PHP SDK, the appsecret_proof parameter is automatically added.
Please refer the below url to generate the valid appsecret_proof,and add it to each api call
https://developers.facebook.com/docs/graph-api/securing-requests

I had to deal with the same issue while working with passport-facebook-token,
I finally released that the problem had nothing to have with the logic of my codebase or the app configuration.
I had this error just because I was adding intentionally an authorization Header to the request. so if you are using postman or some other http client just make sure that the request does not contain any authorization Header.

Google Auth API Javascript idpiframe initialization error on Chrome

I use GSuite and I'm coding a very simple web app to use Google Auth API, and I get an exception "idpiframe_initialization_failed".
Now I have the exact HTML as shown in the google Sample:
https://developers.google.com/api-client-library/javascript/samples/samples
1) I've created a project on the Google Developer Console
2) I setup the OAUTH authorization screen
3) I've created the client ID, creating restrictions and redirection URL
4) I've also created the API KEY
5) Finally I've enabled the People API, because discovery services was failing when setting the discoveryDocs parameter
With all of these steps, When I call the gapi.client.init, it raises an exception ONLY in chrome, I cannot understand why.
The code for initializing the API is:
gapi.client.init({
apiKey: 'MY_API_KEY',
discoveryDocs: ["https://people.googleapis.com/$discovery/rest?version=v1"],
clientId: 'MY_CLIENT_ID.apps.googleusercontent.com',
scope: 'profile'
}).then(function (response) {
// Listen for sign-in state changes.
gapi.auth2.getAuthInstance().isSignedIn.listen(updateSigninStatus);
// Handle the initial sign-in state.
updateSigninStatus(gapi.auth2.getAuthInstance().isSignedIn.get());
},function(reason){
console.log('onerror');
console.log(reason);
// Listen for sign-in state changes.
gapi.auth2.getAuthInstance().isSignedIn.listen(updateSigninStatus);
// Handle the initial sign-in state.
updateSigninStatus(gapi.auth2.getAuthInstance().isSignedIn.get());
The code is running the error block, and the message is:
details: "Failed to read the 'localStorage' property from 'Window': Access is denied for this document."
error:"idpiframe_initialization_failed"
Any ideas why I'm coming into this error?
Thanks!

I encountered the same issue. After investing some time, found the reason. This error is because in chrome settings, you have the Block third-party cookies and site data option enabled.
It can be resolved by disabling this option:
"To find the setting, open Chrome settings, type "Content settings" in the search box, click the Content Settings button, and view the fourth item under Cookies."
Uncheck the box "Block third-party cookies and site data".
Hopefully this helps you in resolving your issue.

The problem is with Google's API console and how it handles creating credentials.
It only seems to work when I access it through the following url
https://developers.google.com/identity/sign-in/web/sign-in#before_you_begin
There is a link that lets you create your app and the OAuth credentials.
When I go to the console and create it through that screen it doesn't seem to work.
After trying and re-create again and test with a fresh app I found out that the URL you add to the Authorized Javascript Origins doesn't always get added.
If everything is good then the url should be available in the credentials page

In my case, I just had to wait a bit for Google to take the origin into account. I cannot tell exactly how long it took. I waited ~30min. I then went to sleep and it was working the following morning.
Edit: Ooops I just realized I was using http:// and not https://. That was the actual problem.

I had the same problem and I searched for 3 days: Resolve " popup_closed_by_user" Go to your console.google go to your API MANAGE : Credentials:modify your credentials:
Authorized Javascript origin (http://localhost:port);
authorized redirect URI(http://localhost:port/auth/google/callback);
Example:|| Authorized Javascript origin (http://localhost:4200);
authorized redirect URI (http://localhost:4200/auth/google/callback)

Can't Post to Facebook Page using JS

Okay what I want is to post to the Facebook Page as an Page(This is developing mode application only viewable to ne).
I have done with Facebook login.
So basically I ask for 2 permissions and they are
Manage Pages
Publish Pages
I can post to the page using the Facebook graph explorer tool but can't via my Javascript code.
Here is the code that I write using JS. This code is written inside a function.
FB.api('me/accounts', function(response){
token = response.data[0].access_token;
post_with_token(token);
});
function post_with_token(token){
var message = $('#post_body').html();
var page_id = 'page_id';
FB.api('page_id/feed', 'post',
{ message : message,
access_token : token},
function (response){
console.log(response);
});
The error object in the console says this
message: "(#200) The user hasn't authorized the application to perform this action"
Both the apps My and Graph explorer have the same permissions granted.Is any new permission to be asked. I am unable to figure out what exactly the problem is.Correct me if I am wrong anywhere.
I got the answer that I posted below but didn't got why I need additional permission.?

publish_pages has only been introduced with Graph API version 2.3.
Before that, publish_actions was used to allow posts on pages by the page as well – now with v2.3, they have made that into two separate permissions. publish_actions is for everything you publish as/in the name of a user, and publish_pages is for publishing as a page.
Graph API Explorer has API version 2.3 selected by default – that is why your call was successful there. Most likely, with your own API call from your JS code, you did not use v2.3, but specified a lower API version when initializing the JS SDK.
So just specify version: 'v2.3' in your FB.init parameters (see Basic Setup section in JS SDK docs), and it should work fine with publish_pages.

Okay I solved the problem . I have to ask for publish_actions permission also. So I asked through the Login Dialog and used the same code as above to post to the page!

The error implies exactly what it says. They've designer their API so it's not going to let you post without proper authorization first.
Facebook provides a guide on how to give proper authorization to your registered app

Using Facebook Javascript SDK to get Graph Data

FIXED NOW! But I can't answer my own question yet. See my comment below. And thanks for helping.
I've searched and searched and read the docs and still can't figure this out.
I have a web page about an event. There's also a public Facebook "event" for my event. I'm trying to use the FB Javascript SDK to get the number of attendees for the Facebook event and add it to the number of people who've registered through the website.
I've created an app and I have an appID and secret string. I can get an access token from:
https://graph.facebook.com/oauth/access_token?client_id=XXXX&client_secret=XXXXX&grant_type=client_credentials
and I can then use that access token to get the attendees for a public event:
https://graph.facebook.com/331218348435/attending?access_token=XXXXXXXXX
That's all fine.
I'm now trying to do this same thing using the Javascript SDK.
I've loaded the SDK and done an init:
FB.init({
appId : 'XXXXXXXX',
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
xfbml : true // parse XFBML
});
and I know the SDK is working because I can get an object with the data that doesn't need an access token:
FB.api( '/331218348435', function (response) { console.log ( response ) } );
but when I try to get the attendee data that needs the access token:
FB.api( '/331218348435/attending', function (response) { console.log ( response ) } );
I get an OAuthException: "An access token is required to request this resource."
All the tutorials and information I can find all refers to using the .login method, but I don't want a user to login, I want to login using my app ID without any user interaction.
I'd assumed that the API took the SDK's init request and granted me an access token when I called the .init method, the authentication being done against my website's address (the HTTP referrer - yes I have set my website URL in the Facebook app settings).
Any ideas what might be causing this to not work? How can I get the access token using the Javascript SDK without doing a .login? Am I missing a step? Is this even possible?
Thanks

Form what the rather circular documentations says, getting the attending feed requires a 'generic access_token`. In Facebook terms:
Any valid access_token
Any valid access token returned by our APIs. An access token may not be valid if, for example, it has expired. No special permissions are required. Occasionally, this is referred to as a generic access_token.
So this means that you can use any token you like to access the attending feed, as long as the event is public. The easiest access token to get seems to be an app token: http://developers.facebook.com/docs/authentication/#applogin. You can get this token using only your App ID and Secret, and no user interaction is required.
To summerise the link content: You can get an application access token by sending a GET request to
https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
You can then use that access_token to make the call for you attending list
FB.api('MyEvent/attending?access_token=ACCESS_TOKEN');

Oh. OK.
Well, for whatever reason, I went away and had my dinner and when I come back it's working fine.
When I updated the settings for my app Facebook said it might take a few minutes for the change to get around the servers. Turned out to take over an hour!
My code was fine.
Thanks for your help.