0

I am trying to implement deauthorize callback for a facebook application implemented in rails.

I configured a deauthorize callback url that points to an existing route in my application. However, when I remove the app from my facebook profile's app settings page, i.e. the action that should trigger the deauthorize callback, I can only see this in my nginx access log.

66.220.158.244 - - [13/Aug/2012:09:47:12 +0200] "-" 400 0 "-" "-"

In the rails log it does not even show. Since the ip address is in facebook's ip range it seems that facebook hits my server, but something odd is going on.

I can successfully call the deauthorize callback url manually and when I do it shows up in the logs as expected.

Any hints to what is happening here?

zentralmaschine
  • 595
  • 7
  • 19
  • That line is from the _access_ log – doesn’t nginx also have an _error_ log? If so, you should look there first. Do you maybe have anything in your server config/your script that tries to recognize “bots” and tries to block them from accessing your page, or do you test for specific user agents sounding like “a real browser” or something …? – CBroe Aug 13 '12 at 12:06
  • Aha, I checked the robots.txt and that was indeed pretty restricting. Changed that, but to no avail (maybe due to facebook's caching policies). Does the deauthorization callback really honor robots.txt? Unfortunately, that line from the access log is the only indication, that facebook is interacting with the server at all. The error log is utterly silent about this. – zentralmaschine Aug 13 '12 at 13:11
  • 1
    I don’t see the robots.txt coming into play here. First of all, if Facebook was trying to adhere to it, you should find an entry for their scraper requesting /robots.txt in your access log; and secondly then there would be no request for your callback URL at all. If the error log says nothing about this error, then I’d suspect it’s rather not an error triggered by the server itself, but more likely by your application, which itself decides to answer the request with 400. – CBroe Aug 13 '12 at 13:48
  • Hah! That was a push in the right direction. Thanks a lot! Increased the error log's log level to 'info' and it then did show a `SSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca`. I find that still strange, because I did not have issues with the certificate before (it's a free StartSSL cert), but at least I have a lead now. Thanks a lot! – zentralmaschine Aug 13 '12 at 14:33
  • The same problem is described in [this question](http://stackoverflow.com/questions/10369169/facebook-deauthorize-callback-over-https). I did file a bug with facebook... – zentralmaschine Aug 13 '12 at 22:40

0 Answers0