Identity 2.0 Create User Broken and Facebook Login Fails in Edge and Firefox Browsers

Question

User-939035612 posted

What might cause Identity 2.0 user creation to fail in all browsers and login attempts to fail in just Edge and Firefox but not Chrome? I was given a deadline by Facebook to fix this problem but I can't begin to guess what it is because I am using the default settings for Identity in an ASP.Net website template for Visual Studio 2015 but I am using VS 2019. All I did was un-comment a few lines of code in Startup.Auth.cs and the result is:

app.UseFacebookAuthentication(
appId: "myappid",
appSecret: "myappsecret");

If you visit the website and are logged in to Facebook  and you have not yet created an account using the external login. The site sends the user to Facebook where the user signs in and grants access. Then when redirected to the site the user is not logged in and no account is created.

If an account has already been created by that Facebook user the page refreshes without going to Facebook and without logging in the user in Edge and Firefox, but in Chrome the previously existing user is logged in.

This is the second time I have had a problem with Identity ceasing to work without me doing anything to it. I am really tired of getting out of the box Microsoft products that work at first only to just break later.

Answer 1

User-939035612 posted

This seems to be a permissions issue of some sort but I can't figure it out. I updated the version of the API on Facebook from 3.3 to 4.0 and now nothing works. I have the most recent versions of the owin nuget packages. The user signs in to Facebook just fine but when they are redirected to my site it says:

GEThttp://localhost:58182/Account/RegisterExternalLogin?providerName=Facebook&returnUrl=/Account/Login?ReturnUrl=%2fAccount%2fLogin&error=access_denied#_=_
[HTTP/1.1 302 Found 85ms]

Request URL:http://localhost:58182/Account/RegisterExternalLogin?providerName=Facebook&returnUrl=/Account/Login?ReturnUrl=%2fAccount%2fLogin&error=access_denied
Request method:GET
Remote address:[::1]:58182
Status code:
302
Version:HTTP/1.1

Response headers (346 B)
Raw headers
Content-Length
131
Content-Type
text/html; charset=utf-8
Date
Fri, 09 Aug 2019 00:57:56 GMT
Location
/Account/Login
Server
Microsoft-IIS/10.0
X-Powered-By
ASP.NET
X-SourceFiles
=?UTF-8?B?QzpcVXNlcnNcc3VsbGlc…mVnaXN0ZXJFeHRlcm5hbExvZ2lu?=
Request headers (614 B)
Raw headers
Accept
text/html,application/xhtml+xm…plication/xml;q=0.9,*/*;q=0.8
Accept-Encoding
gzip, deflate
Accept-Language
en-US,en;q=0.5
Connection
keep-alive
Cookie
AspxAutoDetectCookieSupport=1;…1245038061.1565310992; _gat=1
Host
localhost:58182
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Windows NT 10.0; …) Gecko/20100101 Firefox/68.0

Answer 2

User-939035612 posted

This is the best solution I can find. Honestly it is because it the only one that will let me plan my life without having to worry about fixing external logins ever again:

https://copblaster.com/blast/1204/why-using-external-logins-with-asp-net-identity-is-a-bad-idea

Answer 3

User753101303 posted

Hi,

This is the exact same situation in all browsers or are you still authenticated in Chrome ? You try to logged to the Facebook developer console (or whatever it is called) to see if you have some more information ? You have a page telling which change were done as it seems they have some kind of deadline for this change.

That said I only tried once and this is the only reason for which I have a FB account so I would have to create a blank new app to just try if it still works with the current ASP.NET FB documentation (maybe using ASP.NET Core even if for just seeing that something could work ?)

Answer 4

User665608656 posted

Hi CopBlaster,

According to your description, the messages shows that you may make a mistake in setting the url.

I suggest you should to check carefully whether the REDIRECT_URI is correct.

Here is an article about how to use Facebook account to register your application for your reference:

Registering your application with Facebook Graph API

Hope this will help you.

Best Regards,

YongQing.

Answer 5

User-939035612 posted

The deadline from Facebook was due to their system noticing that the app was causing problems for their users. Not necessarily a change by Facebook. I just spent a lot of time yesterday looking at various examples that people have posted with similar problems over recent years and thought it looked like more trouble than it is worth. I don't like the idea of having to do this all over again at some future date just because some other website makes an "upgrade" that also breaks an older way of using the feature. The right way to do those types of upgrades is to make sure that they are always optional for people that do not have time to upgrade their site to use the new features but still want to use the old ones.

Answer 6

User-939035612 posted

I had the https://copblaster.com/signin-facebook URL on the list of approved  URLs along with Account/Login, Account/RegisterExternalLogin, etc. Did not fix the problem. I did not add ones for localhost since Facebook made it clear that when the app is in development role you do not need to do that, so I only tested localhost in development mode and the other live.

Answer 7

User-939035612 posted

Could this be because the redirect uri returns a 404 status code? It does that when loaded in any browser but when you test it on Facebook it says it is valid. It is just the default ASP.Net url which I noticed does not correspond to any real file.

Answer 8

User-939035612 posted

I got rid of the 404 by uncommenting routes.Ignore("signin-facebook/"); in my RouteConfig.cs file but I still get the same error from Facebook. The page itself (signin-facebook?code=somelongcode) returns a 302 status code. Is that normal?

Answer 9

User475983607 posted

A 302 status is an HTTP response sent by the server when the requested URL has changed.  The server is letting you know to update the URL.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302

Post your configuration and any relevant code if need debugging support.  As far as I know, Facebook uses OAuth with is a standard security flow.  If Facebook made any changes to the flow then you'll want to update in your side as well.

Answer 10

User-939035612 posted

I think I may have found the answer, but I'll have to try to get Facebook to unrestrict my app. I just signed up for a Moz trial and found out that a 302 redirect was added automatically by ASP.Net to all my pages by adding the querystring "?AspxAutoDetectCookieSupport=1". This impacted every single URL on the site.

I believe that this was because of a NuGet Package that I recently installed. Captcha by Captcha Inc. a.k.a. BotDetect Captcha was installed after Facebook authentication started working again and before it broke. I could be wrong, but I seem to recall seeing:

cookieless="AutoDetect" timeout="20" sessionIDManagerType="BotDetect.Web.CustomSessionIdManager, BotDetect"

That was the first time I had ever seen cookieless="AutoDetect" in my web.config. I have since changed it to "UseCookies" and now my pages return a 200 status code again.