Configure Facebook login for Discourse

:exclamation: As of February 2023, Meta has implemented a business verification requirement when publishing new and existing apps.

:warning: Updating the Facebook app API or creating a new app will break existing logins. See troubleshooting at the bottom of this post for a solution.

Configuration

Go to developers.facebook.com/apps and …

  1. Login with the credentials of the account you want to connect to Discourse and follow the wizard.
    If you already have other apps instead of Get Started you will see the entry My Apps, then just click on :heavy_plus_sign: Add new app and follow the guide from step 1b

1a. Select Developer
 ![image|690x408,50%](upload://aps07RfPhmhHIHyMqO3RZkbnKaX.png) 
1b. Provide a name for the app, for example `Discourse Login` and click on <kbd>Next</kbd>.
 ![image|690x435,50%](upload://bqzuaZ5sdnGEdaWWtUqvv9zO6qU.png) 
1c. Click on <kbd>Add your first product</kbd>
 ![image|690x352](upload://8VWUUU5YYXsCVOC2GrhJb3bJbmj.png)
  1. Click Set Up below Facebook Login.
    firefox_2018-03-14_17-08-49

  2. From the menu on the left, exit Quickstart by clicking on Settings under Facebook Login

  3. Setup the Valid OAuth redirect URI field, entering https://discourse.example.com/auth/facebook/callback – obviously, replacing the domain with your site’s actual domain name and matching the HTTPS protocol. Remember that the HTTPS protocol is now mandatory for all URI redirects. Click Save Changes.
    Once completed, a successful setup should look like this in Products/Facebook Login/Settings:

  4. Navigate to Settings/Basic, enter your Discourse URL (https://discourse.example.com) in the App Domains field and also enter the URL for your Discourse site privacy policy and Terms of Service in the appropriate fields and also upload the icon of your site. (Mind that for your privacy and tos link to be verified, you should have a valid SSL certificate integrates, which is not self-signed. If the certificate is missing, or self-signed, you won’t be able to save your changes).
    If you have a company that does business in the European Union, you may want to fill in the Data Protection Officer Contact Information form before clicking on Save Changes.

    ⚠️ Facebook has changed this step to ask for extra information. We are currently working to determine what you need to provide; see recent replies. (November 2020)

    There is now a field for User Data Deletion information for GDPR compliance. Select “Data Deletion Instructions URL” from the dropdown and add a link to a page (such as https://discourse.example.com/tos#deletion) which contains a sentence like “Accounts on this site can be anonymized or deleted at the user’s request. Contact our @support group for details.”

  5. At the bottom of the page click on :heavy_plus_sign: Add Platform and select Website

  6. Enter your Discourse URL here, for example https://discourse.example.com and click Save Changes

  7. Click on the Status button to change your app from in development to public.


    The category you select does not matter.

    After a few seconds the button will become:
    firefox_2018-03-14_18-20-25

  8. In Discourse site settings, enter your Facebook app’s App ID and App Secret in the facebook app id and facebook app secret fields. You’ll also want to check off Enable Facebook authentication, requires facebook_app_id and facebook_app_secret

That’s it! Facebook login should work now. Be sure to test it from a “normal” Facebook account, not your developer account.

Troubleshooting

Hosted Customers

:discourse2: If you are a Discourse hosting customer, contact us via the email address on your site dashboard and we will be happy to assist. :+1: :slightly_smiling_face:

If you’re hosted by another provider you will need to contact them for any server-related tasks or issues.

Self-hosters

If the Facebook app API is updated, or the app ID/secret are changed, you’ll need to remove existing associations from your site before users can log in again. To remove this data, run the following:

cd /var/discourse
./launcher enter app
rails c
UserAssociatedAccount.where(provider_name: "facebook").delete_all

Last edited by @martin 2024-06-11T07:00:30Z

Check documentPerform check on document:
77 Likes

The process for configuring this has changed a bit I think with the rebrand to ‘Meta’. Here is a walkthrough:

1a. After clicking New App

Consumer seems to be the best choice, giving a nice limited set of options with all we need.

At the end - Advanced Access

You now seem to need to request “Advanced Access” to the Facebook user’s email address. This seemed to require just a few clicks and was automatically granted. However, it took a bit of poking about to find it before it popped up.

There also seems to be the need to review access within the next month or so. All in all it is a lot more pfaff than setting up the other OAuth logins.

6 Likes

So I was able to configure Facebook login as method for users to sign up finally (my original app stopped working after Facebook updated it’s GDPR compliance). For those interested, create a brand new app in Facebook and in addition to the steps mentioned in the first post, you will also need these steps on your Facebook developers page for your app:

App ReviewPermissions and Features

  • public_profile → Click Get Advanced Access → Follow instructions
  • email → Click Get Advanced Access → Follow instructions

Now your users should be able to sign up using Facebook and they should receive email notifications to subscribed posts as well

3 Likes

I’ve given up on Facebook login integration. Either these are bots or they don’t take the time to read. It’s now the second time they bring up that my privacy policy violates theirs. The first time I was able to resolve it. Now the issue came back.

Their reaction after me repeating that my privacy policy does perfectly well addresses their demands.

Hallo,

Thank you for contacting us about your app.

The Privacy Policy linked to your app must comply with Facebook Platform Policy 4.b:

This policy states that you must include all of the following:

  • A clear explanation of what data you are collecting and processing (done)
  • The purpose for which you are collecting and processing that data (done)
  • How users may request deletion of that data (pending - deleting account or content is not similar to user can request data deletion. You may change your sentence to makes the Platform Terms 4.b compliant)

For more information regarding our Privacy Policy requirements, please visit section four of the Facebook PlatformTerms: Platform Terms - Meta for Developers .

Thank you for your cooperation. Please respond to this email when your app has been updated or if you have anyquestions about this request.

Facebook

While sharing a screenshot where perfectly well describes how users can request data removal and what kind of data it is.


Anyway, the most important thing I want to know now is this. People that used Facebook to login, are they still able to login with a username/password combination? Or does it mean I’ve lost those users?

1 Like

if they didn’t previously set a password they’ll need to request a reset email, but yes they can login with a password. We just went through this on our forums and for the same reason.

4 Likes

There is no #deletion section in my default TOS :frowning:

What content should I add if I manually create that section?

1 Like

I did my best to update our privacy policy to comply with their comments: Privacy - TZM Community Forum

It was okay at first, then after a month or 2 they came back with the same complaints. For some reason no change was sufficient, so they deactivated the app. I’ve removed it afterwards, life is too short to argue with Facebook (bots).

6 Likes

During their annual check-up, Facebook can’t load my Discourse. They are stuck on the loading screen.
The forum works well on my side and there are connected users.

(https://unicyclist.com).

I told them to try again, and they again told me that they couldn’t load the page.

So, they…

kindly ask that you provide us with screencast that also includes the following items:

  1. Your app name, app ID and app icon.

  2. Your complete Facebook Login flow (if you’ve implemented Facebook Login, show an app user locating the Facebook Login button).

  3. Your app’s account creation and login flow, if your app users can create accounts and log into your app without using Facebook Login.

  4. For each permission that your app has access to, show an app user accessing data that requires the permission, as well as what your app does with that data.

  5. A Facebook Login flow that shows what happens when an app user denies a permission that your app asks for.

  6. The location of your privacy policy in your app. Click the link to your privacy policy to show your policy’s content.

  7. Content inside your app.

  8. Social plugins, if any, and how they are being used. For example, liking or following Pages, sharing content on Facebook or inviting or tagging friends. If your app is available on different platforms (Connect, iOS, Android, Canvas…), please make sure to show all of the information above for the platforms listed.

Meta is so difficult to work with that I might simply remove all their features from my forum(s), which are Facebook logins and Instagram (a bit wonky) embedded iframes (I miss the old oneboxes).
I can’t even have previews of Facebook links posted inside topics (maybe because of this non-resolvable thing).

I’m not sure these features are worth bothering.


Edit: a friend who administrates a Discourse forum received the same email from Facebook and wondered how many of their users actually had a linked Facebook account.

You can use these query in data explorer to get the number of users that posted at least once during the last year from now and that have a linked Facebook account:

SELECT count(*)
FROM users
LEFT JOIN user_associated_accounts ON user_id = users.id
WHERE last_posted_at > now() - '1 year'::interval
AND provider_name = 'facebook'

If you want to compare with all users:

SELECT count(*)
FROM users
WHERE last_posted_at > now() - '1 year'::interval

From my forum, 411 users posted at least once in the last year, and 30 of them have a linked Facebook account. That doesn’t mean that they use it though.


Edit: it’s done, I’ve disabled Facebook features from my forums. I thought maybe it was a loss, but announcing it gave me a lot of likes :laughing:. It seems that my communities aren’t particularly fond of Facebook after all…

6 Likes

After I changed my forum server, my users and I are unable to use facebook login to enter speech, following error appears

Sorry, there was an error authorizing your account. Try again.

does anyone know why and how to fix it?

Do you have the same url for your forum?

1 Like

I got all the way to the “Go Public” step, and bam …

Business verification required to go live

Before you can go live, an app admin must complete business verification. Once your business account has been verified, you can come back to this page and go live. Learn more about business verification.

Business verification is hopelessly out of reach in my case, because I don’t have a legally incorporated business:

I googled and found that this change took place just 3 months ago, i.e. February 2023:

I guess I’m permanently screwed. Forget Facebook login for me. Small, informal websites are just banned from the playground now. :neutral_face: :disappointed:

3 Likes

Here is some more info about the roadblock I found.

Graph API docs:

email

This permission or feature is only available with business verification.

public_profile

This permission or feature is only available with business verification.

2 Likes

I received a Facebook developer email saying I will lose access to my app (that is used for FB login and instagram oneboxing, afaik) unless I complete business verification.

My instance is just a hobby and in no way earns enough to be justified as a business. Just wondering how anyone else plans to tackle this?!?

3 Likes

Tell users to log in another way? Bake some cookies, bring them to Mark Zuckerberg’s door, and offer them on your knees?

In all seriousness, I think it’s the end of the line. Nobody controls Facebook’s website API except Facebook. This isn’t a problem that can be “solved” with creative thinking, or engineered around.

Sorry to be the bearer of bad news :disappointed:

So to clarify, is there any way to use Login with facebook without having a verified business?

Clarification on this, does this mean the user data will deleted and new user will be created for discourse or does it mean that the user will need to re-authenticated (provide permissions to share information) by Facebook at the next login?

So to clarify, is there any way to use Login with facebook without having a verified business?

No, not to my knowledge

1 Like

Has anyone else received this email from Meta?

It looks like some folks encountered this last year, so perhaps it’s my turn now. I’m not a business, so does this mean I’ll need to remove sign-in via Meta looking forward?

Complete Data Use Checkup for X Community

Protecting people’s privacy is a major priority for Meta and the developers who build on our platform. That’s why we require an annual checkup to make sure your API access and data use comply with Meta’s policies. Learn more.

Here’s what you need to do for X Community before May 30, 2024 to maintain API access and avoid restrictions:

  1. Examine your previously approved or added permissions and features.
  2. Certify this app follows the allowed usage.
  3. Certify that you are following the Meta Platform Terms and Developer Policies, together with all other applicable terms and policies.
  4. Answer questions about your data handling practices. Learn about our data handling guidelines.

Data Use Checkup is a requirement that must be completed once per year by an app admin.
Make sure each app is connected to a verified business—this is required in order to submit Data Use Checkup.

1 Like

Yes, it means exacly that.

Thanks sir.

Now I’ll have to walk through what I need to change in the config. It’s always something, isn’t it? :smile: