Configuring Facebook login for Discourse

(Jeff Atwood) #1

:warning: Updating the Facebook app API or creating a new app will break existing logins. See troubleshooting below for a solution.

:pushpin: Update December 2018: From now on the HTTPS protocol is mandatory for all URI redirects. :pushpin:


Go to and …

  1. Login with the credentials of the account you want to connect to Discourse and follow the wizard.
    If you already have other apps instead of Get Started you will see the entry My Apps, then just click on :heavy_plus_sign: Add new app and follow the guide from step 1b

    1a. Select Developer

    1b. Provide a name for the app, for example Discourse Login and click on Next.

    1c. Click on Add your first product

  2. Click Set Up below Facebook Login.

  3. From the menu on the left, exit Quickstart by clicking on Settings under Facebook Login

  4. Setup the Valid OAuth redirect URI field, entering – obviously, replacing the domain with your site’s actual domain name and matching the HTTPS protocol. Remeber that the HTTPS protocol is now mandatory for all URI redirects. Click Save Changes.
    Once completed, a successful setup should look like this in Products/Facebook Login/Settings:

  5. Navigate to Settings/Basic, enter your Discourse URL ( in the App Domains field and also enter the URL for your Discourse site privacy policy and Terms of Service in the appropriate fields and also upload the icon of your site.
    If you have a company that does business in the European Union, you may want to fill in the Data Protection Officer Contact Information form before clicking on Save Changes.

  6. At the bottom of the page click on :heavy_plus_sign: Add Platform and select Website

  7. Enter your Discourse URL here, for example and click Save Changes

  8. Click on the Status button to change your app from in development to public.

    The category you select does not matter.

    After a few seconds the button will become:

  9. In Discourse site settings, enter your Facebook app’s App ID and App Secret in the facebook app id and facebook app secret fields. You’ll also want to check off Enable Facebook authentication, requires facebook_app_id and facebook_app_secret

That’s it! Facebook login should work now. Be sure to test it from a “normal” Facebook account, not your developer account.


If the Facebook app API is updated, or the app ID/secret are change, you’ll need to remove existing associations from your site before users can log in again. To remove this data, run the following:

cd /var/discourse
./launcher enter app
rails c
UserAssociatedAccount.where(provider_name: "facebook").delete_all

If you are a Discourse hosting customer, contact @team and we can assist.

Guidance on creating a Facebook Single-Sign-On
Moving over Facebook Group (not an import question)
Exisiting member unable to login via Facebook
How To Fix / Remove All Facebook Logins For Updated AppID
Facebook new oauth policy
User should be able to login without verification
Use SSL OAuth Redirect URLs
Facebook/google and also twitter login error
Login with Social Media accounts
Configure oauth callback urls
[Paid] Discourse configuration changes
SSL Problems with Facebook-Auth
(Jakub Ryška) #8

I can see, that the login with facebook creates a popup during the login. Is there a way, how to configure it so it doesn’t create the popup but maybe a redirect instead of it? The popups may be blocked by the user browser.

(lid) #9

It will be interesting to see if the facebook library. Will detect a popup blocker and make the redirect instead.

@coubeatczech can you test it by setting your browser to block popup on your test site

(Jakub Ryška) #10

Yes, if I add popup blocker to my browser, it then immediatelly kills the popup and the login will fail.

(Jeff Atwood) #27

Yes, you’ll see this alert but only if you log in using the Facebook credentials of the person who registered this Facebook application:

We can’t see any other consequence of this; the local login works fine.

(Marco) #29

I get an error: “This account is not authorized to manage apps. Please use your verified personal Facebook account to create and manage your apps.”

I have a “company” account con FaceBook.

(Ryan Bolger) #30

I noticed this as well. I was checking the Facebook developer’s guide on default permissions and they basically state that your site must support the condition that users will now allow their email address to be shared. It’s also the case that users can have a facebook account that doesn’t have an email address associated with it (because they signed up with a phone number).

So on the Discourse side, this needs to be handled more gracefully either by allowing a manually entered address or simply telling the user that they must go back and re-authorize the email address permission.

@Grimbly In order to go back and reset the permissions you gave to the site, you need to login to Facebook and go to Settings - Apps. From there, delete the entry for your Discourse related app.

(blaumeer) #31

Have you solved the issue @vulkanino? You need a verified personal Facebook account meaning a personal account tied to a telephone number or other verification method, then use this account to login as developer and cretae a new app.

(Marco) #32

I forgot about it actually!
I didn’t want to create another FaceBook account but it looks like this is the only way to go.

(Fábio Machado De Oliveira) #33

My discourse is asking for user e-mail when I register with facebook login, then it asks for e-mail confirmation. What I did wrong? This doesn’t happen here in

(Kane York) #34

That happens if Facebook isn’t reporting that your email has been verified.

edit: Yep, here’s your login list here on Meta:

(John Ellis) #55

Nevermind! Our facebook app page was setup as a desktop app, rather than a web app. I made some changes and it’s working now.

(Joshua Rosenfeld) #65

Some minor UI changes by Facebook, but the overall instructions were correct. I’ve updated the guide.

(Daniela) #66

I proceeded to update the guide (steps and images).

(Dražen Lučanin) #67

Discourse’s OAuth request callback for some reason uses http even though my instance is on https. I had to whitelist to get Facebook login to work.

(Jay Pfaffman) #68

Is force https checked?

(Dražen Lučanin) #69

I tried setting force_https to true, but I couldn’t log in at all (had to manually set it back to false). Perhaps I did something wrong with in my HTTPS setup. But normally the site is fully served over HTTPS and I even redirect to HTTPS on the DNS level.

(Felix Freiberger) #70

Do you have a reverse proxy? If so, do you pass the X-Forwarded-Proto header?

(Dražen Lučanin) #71

Excellent spotting @fefrei :slight_smile: Works now that I added proxy_set_header X-Forwarded-Proto $scheme; in my nginx server definition and after I force HTTPS everything works. I can now force HTTPS in the Facebook app settings as well.


It is not possible to add website as a platform anymore in the interface. Any suggestions of how to do instead?