Configuring Facebook login for Discourse

I’ve sent you a PM with the correspondence that I had with them as a series of pdfs in case if this comes up for other people.

1 Like

I have never signed into anything using Facebook (or anything else) as I didn’t see why Facebook should find out even more about me, and didn’t want to share my Facebook information with other websites either. But having tried it out on my own forum, it was a struggle to go back to using a password to log in. I understand your position better now!

Can someone familiar with how this feature works say if the following change announced in Facebook API v8.0 will impact Facebook login for Discourse?

Developer Action Required

Changes to tokenless access for User Picture and FB/IG OEmbed endpoints: By October 24, 2020, developers must leverage a user, app, or client token when querying Graph API for user profile pictures via UID, FB OEmbeds and IG OEmbeds. Developers should provide a user or app token when querying for profile pictures via a UID or ASID, though client tokens are supported as well. Please visit our changelog for User Picture, Facebook OEmbed and Instagram OEmbed for details on how to start calling these Graph API endpoints today.

User Picture

Applies to all versions on Oct 24, 2020.

Starting October 24, 2020, the GET /{user-id}/picture endpoint ( GET /{user-id}?fields=picture ) will require an App-Scoped User ID (ASID) for tokenless requests. If you query the User with a non-ASID, you must include an App, Client, or User Access Token in the request. Refer to the User Picture reference for details.

The only thing you need to do is update Discourse to the latest version. We recently updated our facebook authentication library so that it now passes a token to the profile picture endpoint.


There seems now to be an extra GDPR-related input box at step 5: see Privacy Policy Link required for Facebook login App creation is not accepted - support - Discourse Meta.


I went through the process of configuring Facebook logins yesterday. Facebook is asking for either a “Data Deletion Callback URL” or for a “Data Deletion Instructions URL” to be added to the “User Data Deletion” field. Since Discourse doesn’t have a callback URL for data deletion, I added instruction for how to request data deletion to my site’s Privacy page and then added a link to those instructions to the “User Data Deletion” field. Details about what I added can be found here: Privacy Policy Link required for Facebook login App creation is not accepted.

After doing this, I was able to submit the form without any issues. I’m still not certain that this is the information that Facebook is looking for. I’ll try to confirm that and update step 5 of the guide. If anyone has more information about this, or has tried other approaches, please let us know.


Facebook Login is not working anymore. You need data deletion information now to change from Developer mode to Live mode. Will Discourse come out with an official solution to this problem?


Have you read the post just above yours and tried to do what is indicated?


This seems to be more of a hack to get to Live mode. I’m asking will there be an official solution to this problem from the Discourse team? Ie a specific page created like TOS and the Privacy Policy with Data Deletion instructions or a Data Deletion Callback URL?

Would this site setting solve your problem?

enable page publishing: Allow staff members to publish topics to new URLs with their own styling.

1 Like

It’s certainly possible yeah, but it’d require each Discourse user that wants to have a Facebook login on their forum to go through the rigmarole of creating their own topics and converting them into a static page. I was hoping the core Discourse team could add a new page in an update (like the TOS or Privacy Policy page) that Discourse users could link in this section of the Facebook Developer settings. I’m not a software developer so I don’t honestly know. I guess I was looking for clarity from the Discourse team about how this is going to be addressed, that’s all. Thanks for your comment though Jonathan. It’s certainly an interesting idea and a possible work around.

I’ve taken the liberty of adding a paragraph to step 5 in the original post:

There is now a field for User Data Deletion information for GDPR compliance. Select “Data Deletion Instructions URL” from the dropdown and add a link to a page (such as ) which contains a sentence like “Accounts on this site can be anonymized or deleted at the user’s request. Contact our @support group for details.”

I don’t think the deletion information needs to be on a separate page. Facebook’s own guidance at Data Deletion Callback - App Development - Documentation - Facebook for Developers mentions “Provide a URL with explicit instructions for users on how to delete their data by way of a third-party website or tool. The third-party website may be the relevant section in the application’s Privacy Policy.”

I also replied with more information on the related topic here: Privacy Policy Link required for Facebook login App creation is not accepted - support - Discourse Meta.


Yes, that’s true but it also says it needs a Callback URL to respond to the data deletion request made on Facebooks Website & Apps settings.


1 Like

It requires either a callback URL or a instructions URL, not both.


Our FB login has been working fine for more than a year. Now we have received a non-compliance email:

"Your app Community Login (AppId: 1841981149267724) doesn’t comply with the following:

Developer Policy 3.2 - Encourage Proper Use

We found that your app includes forms of incentivization that are not allowed. Only incentivize a person to log into your App, enter a promotion on your App’s Page or on Instagram, check-in at a place, or to use Messenger or Instagram Messaging to communicate with your business. Do not incentivize users with other actions."

Has anyone else received such an email? What do I need to do to fix this?


I wonder whether it’s this:


See here:


Thanks @osioke. So I turned off 3 sharing badges in the Settings. Do I just email them back?

1 Like

I just read that only thing they have done is to restrict feed stories:

Since we’re striving to improve the Platform experience, your app’s ability to do the following has been restricted.

  • feed_stories

Does that limit us in any way on the discourse forums? Maybe its not worth removing the sharing badges?

1 Like

I got an obviously automated message with a one week suspension threat. No ask for a test account. It reads in part:

In order to keep the Facebook platform and community safe, we periodically review apps for compliance. We need the following information/action from you on your app, Ocean Gate Forum (AppId: xxxx), in order to approve your app’s continued operation on our platform.

Platforms affected: Connect URL.

Platform Policy 6.1: Verify that you have integrated Login correctly. Your app shouldn’t crash or hang during the testing process.

During Login, your app is crashing or hanging excessively, creating a broken experience for people trying to use your app. To make sure this flow runs smoothly, check that you’ve integrated Facebook Login correctly. We recommend that you test Login on all integrations.

• Here’s our quickstart guide for implementing Facebook Login for Android: can’t post more than two links
• We encourage you to test your Login integration following these steps here: Testing - Facebook Login - Documentation - Facebook for Developers
• Best Practices for Login can be found here: Best Practices - Facebook Login - Documentation - Facebook for Developers

This letter is so generic I have very little idea what they’re talking about. I went through their step-by-step instructions for testing Facebook logins, and as far as I can see everything is working. And then I went through the Discourse documentation to confirm the setup. Maybe it’s a false alarm or they see something I’m missing. Searching the web for discussion about this form-email has turned up multiple cases of people as confused as I am, all saying that FB is completely non-responsive to attempts to resolve whatever issue exists.