Facebook OAuth doesn't return email of user

Question

I am following this tutorial on Spring Boot with OAuth: https://spring.io/guides/tutorials/spring-boot-oauth2/

In the 'click' app, I added:

security:
oauth2:
client:
  clientId: 233668646673605
  clientSecret: 33b17e044ee6a4fa383f46ec6e28ea1d
  scope: email <------- ***** THIS IS WHAT I ADDED ***** ---------
  accessTokenUri: https://graph.facebook.com/oauth/access_token
  userAuthorizationUri: https://www.facebook.com/dialog/oauth
  tokenName: oauth_token
  authenticationScheme: query
  clientAuthenticationScheme: form
resource:
  userInfoUri: https://graph.facebook.com/me

logging:
  level:
    org.springframework.security: DEBUG

I used one of my test Facebook accounts and everything worked. The Principal object contained the email address. The credentials in the above-mentioned config file were part of the tutorial.

To test things out with my own OAuth registered app, I went to my regular account and created a Facebook developer account with an app that used the Facebook Login as a product.

I then placed my own clientId and clientSecret into the YAML file, repackaged the app and ran it.

The email address for the same test Facebook account was not received from Facebook.

Any ideas as to why the one in the tutorial worked and mine didn't?

Here is what my Facebook Login config looks like:

Any ideas?

Any help would be much appreciated!

Thanks!

Answer 1

Ok, I FINALLY figured it out, so posting it here for whoever else may run into this. I couldn't find the answer so easily.

You wrote that tutorial before Facebook Graph API changed.

Now, just because you specify 'scope: email', it just allows you to get the email (after user approves). However, to actually get the email, you need to explicitely specify that in the URL itself. So, in the config above, this line would change (not the extra '?fields=email,name'):

userInfoUri: https://graph.facebook.com/me?fields=email,name 

This is a change to the Facebook API as of version 2.4. It's at 2.8 as of this writing. See this link: https://developers.facebook.com/blog/post/2015/07/08/graph-api-v2.4/

(In particular, pay attention to what it says in the 3rd bullet, starting with 'Fewer default fields for faster performance..'

Hope this helps someone!

Answer 2

I know this is kind of old, but for security reasons for anyone coming here to find help:

DO NOT PUBLICLY POST YOUR CLIENT_ID or CLIENT_SECRET or have them in your app.js etc either. Proper protocol is to create a .env file (the . in front denotes that it stays hidden, also add this ".env" file to your ".ignore" file so that it doesn't get uploaded to github or any other repository you upload files to.) inside the .env file, you should enter the lines such as: FACEBOOK_CLIENT_ID:123456789 (where the number is what is given to you) FACEBOOK_CLIENT_SECRET:987654321 (again this number is given to you)

*please note the stuff to the left of the : is all upper case with underscores, and there should be no spaced to either side of the : Also no commas or ; between lines.

then on your app you should refer to these as process.env.FACEBOOK_CLIENT_ID and process.env.FACEBOOK_CLIENT_SECRET (or however you called them as long as it matches plus the "process.env." before it.

lastly, you will need to require it by:

1) installing it (npm i dotenv) in the command field or similar.

2) require("dotenv").config(); at line 1 of your app code (or as close as you can before other requirements)