Can't login to Discourse ID with Facebook

I saw the banner on meta.discourse.org saying that my Facebook social login would be removed, recommending that I switch to Discourse ID. So, I clicked the link to Discourse ID and tried Sign in with Facebook, and it failed.

It looks like your Facebook settings are incorrect. Since login with Facebook doesn’t work yet, I think y’all should extend the November 30 deadline.

image1172×1152 38.8 KB

Feature Unavailable

Facebook Login is currently unavailable for this app, since we are updating additional details for this app. Please try again later.

Thanks for the report, Dan. I was able to log in using my Facebook account, but I see that App Review processes have changed, we need to provide some details on how we use Facebook’s AI. That is now done and we are waiting for review. Our Facebook app doesn’t do anything special, it only enables login via Facebook, but nonetheless, Meta (Facebook) needs to review. Hopefully they do this soon.

We will look into extending the deadline for this here on meta depending on how quickly that review goes through.

A common gotcha with Facebook Login is that it will work for users who are listed on Facebook’s admin settings as “developers” of the Facebook app, but not work for the general public.

I believe you would be able to reproduce the problem by following Facebook’s guide to testing Facebook Login.

Good suggestion, thank you. I just did that and logged in with a throwaway account (that isn’t admin or developer on the app). Saw this screen:

CleanShot 2025-11-10 at 14.54.26@2x1640×1820 181 KB

It’s working a little bit better now, but still not quite working. I think you’ve set the redirect URL to the wrong URL.

To repro:

• Go to id.discourse.com (log out if you’re already logged in)
• Click “Log in” on the home page of id.discourse.com
• Click “Facebook”
• Now it prompts for name and email, or, if you’ve already logged in with Facebook, “You previously logged into Discourse Login (Discourse ID) with Facebook. Would you like to continue?”
• Click “Continue as [Name]”
• It redirects you to this page https://meta.discourse.org/auth/failure?message=csrf_detected&strategy=discourse_id#_=_ on meta.discourse.org (not id.discourse.com)! which says, “Sorry, the authorization timed out, or you have switched browsers. Please try again.”

image1250×358 10.2 KB

If I follow those steps, I get sent to the homepage of id.discourse.com, I don’t get redirected to meta. I get logged in to ID and shown the ID homepage.

Unless, there’s something lingering from a previous meta login attempt for you… Can you repro this on a different browser?

I’m on macOS 26.1. I repro the bug in Chrome 142.0, but not in Safari 26.1.

In Chrome Dev Tools, here’s what I see, with a few sensitive bits (code and state parameters) replaced with REDACTED below:

• POST to https://id.discourse.com/auth/facebook
  • 302 redirect to https://www.facebook.com/v5.0/dialog/oauth?client_id=1002152602034172&redirect_uri=https%3A%2F%2Fid.discourse.com%2Fauth%2Ffacebook%2Fcallback&response_type=code&scope=email&state=REDACTED
• GET to https://www.facebook.com/v5.0/dialog/oauth?client_id=1002152602034172&redirect_uri=https%3A%2F%2Fid.discourse.com%2Fauth%2Ffacebook%2Fcallback&response_type=code&scope=email&state=REDACTED
  • 302 redirect to https://www.facebook.com/privacy/consent/gdp/?params[app_id]=1002152602034172&params[ios_fast_app_switch]=false&params[fblfb]=false&params[kid_directed_site]=false&params[logger_id]="f4694485-7287-4d8b-b6fb-7b2e24a6eca0"&params[next]="confirm"&params[redirect_uri]="https%3A\%2F\%2Fid.discourse.com\%2Fauth\%2Ffacebook\%2Fcallback"&params[response_type]="code"&params[return_scopes]=false&params[scope]=["email"]&params[state]="REDACTED"&params[steps]={}&params[tp]="unspecified"&params[cui_gk]="[PASS]%3A"&params[is_limited_login_shim]=false&source=gdp_delegated&cache_buster=-2814008406871994827, 200 OK
• GET to https://www.facebook.com/dialog/consent/complete/?app_id=1002152602034172&close_uri=https%3A%2F%2Fid.discourse.com%2Fauth%2Ffacebook%2Fcallback%3Fcode%3DREDACTED%26state%3DREDACTED%23_%3D_&display=page&is_success_response=1&cache_buster=9053456441950167740&ext=1762813150&hash=AeRPfKHNpn86aMAA2Rk
  • 302 redirect to https://id.discourse.com/auth/facebook/callback?code=REDACTED&state=REDACTED#_=_
• GET to https://id.discourse.com/auth/facebook/callback?code=REDACTED&state=REDACTED#_=_
  • 302 redirect to https://id.discourse.com/oauth/authorize?client_id=w6frjy8zGCTX8HN5UoI20Jj0mMq3Z2cwPu-OJVExLbQ&redirect_uri=https%3A%2F%2Fmeta.discourse.org%2Fauth%2Fdiscourse_id%2Fcallback&response_type=code&scope=read&state=REDACTED
  • ^^ note that this is where “meta” creeps in, from id.discourse.com response headers
• GET to https://id.discourse.com/oauth/authorize?client_id=w6frjy8zGCTX8HN5UoI20Jj0mMq3Z2cwPu-OJVExLbQ&redirect_uri=https%3A%2F%2Fmeta.discourse.org%2Fauth%2Fdiscourse_id%2Fcallback&response_type=code&scope=read&state=REDACTED
  • 302 redirect to https://meta.discourse.org/auth/discourse_id/callback?code=REDACTED&state=REDACTED
• GET to https://meta.discourse.org/auth/discourse_id/callback?code=REDACTED&state=REDACTED
  • 302 redirect to /auth/failure?message=csrf_detected&strategy=discourse_id

And then I end up at https://meta.discourse.org/auth/failure?message=csrf_detected&strategy=discourse_id 200 OK

Thanks, I can reproduce under certain conditions, I think I can see what is happening.

When a user starts an authentication from meta, we store a value for destination_url on the ID instance so that after authentication, the user can be taken back to where they were. But when the authentication isn’t completed within a short amount of time (it fails or user abandons auth), that destination_url is not cleaned up, it stays in the user’s browser session. The next time the user tries to log in, ID tries to redirect to that URL, but since it has an old code/state combination from the original auth flow, the redirect results in the “Sorry, the authorization timed out” error.

It should not redirect at all after a short amount of time, we need to make sure that the destination_url value gets cleaned up after 10 mins, I believe the code/state combo for authentication is only valid for 10 minutes, need to double check.