OAuth is breaking, but only when users are coming from HTTP, HTTPS works fine

Question

I'm trying to get an auth token for a user using OAuth.

Everything works fine and I'm getting the token wonderfully when the users tries to access the app using HTTPS, meaning from https://apps.facebook.com/APPNAME . However, if the user is coming from HTTP (which most users are) I get a 400 error from facebook when trying to get:

https://graph.facebook.com/oauth/access_token?code=XXXXXXXX-XXXXXX-XXXXXXXXX&client_secret=YYYYYYYYYYYYYYYYYYYYY&redirect_uri=https://fb.myapp.com/fb_connect/&client_id=ZZZZZZZZ

{
   "error": {
      "message": "Error validating verification code.",
      "type": "OAuthException"
   }
}

Why is this happening?

Answer 1

We have experienced a similar issues since Facebook began to require SSL certificates on apps.

1. OAuth 2.0 works correctly with PHP SDK 3.1.1. If you are using earlier versions, go to GIT HUB and upgrade.

2. However, even with 3.1.1, signed requests return NULL from http:// when Facebook users have not enabled secured browsing.

Solution is to 1. use javascript to add a redirect at the top of your script or 2. add a (a href =https://your app url*) link somewhere.

1. There is a major flaw in FB as all of FB links in the left side page menu are http:// when user has not enabled secured browsing.

Answer 2

I had the same problem but I found out that it was because the user did not confirm the e-mail address yet. So you won't get any token for a new user that has not confirmed his email address. Just in case, I thought it was useful for this topic.