Configuring Facebook login for Discourse

(Jeff Atwood) #1

:warning: Updating the Facebook app API or creating a new app will break existing logins. See troubleshooting below for a solution.

:mega: Update December 2018 – HTTPS protocol is now mandatory for all URI redirects.


Go to and …

  1. Login with the credentials of the account you want to connect to Discourse and follow the wizard.
    If you already have other apps instead of Get Started you will see the entry My Apps, then just click on :heavy_plus_sign: Add new app and follow the guide from step 1b

    1a. Select Developer

    1b. Provide a name for the app, for example Discourse Login and click on Next.

    1c. Click on Add your first product

  2. Click Set Up below Facebook Login.

  3. From the menu on the left, exit Quickstart by clicking on Settings under Facebook Login

  4. Setup the Valid OAuth redirect URI field, entering – obviously, replacing the domain with your site’s actual domain name and matching the HTTPS protocol. Remeber that the HTTPS protocol is now mandatory for all URI redirects. Click Save Changes.
    Once completed, a successful setup should look like this in Products/Facebook Login/Settings:

  5. Navigate to Settings/Basic, enter your Discourse URL ( in the App Domains field and also enter the URL for your Discourse site privacy policy and Terms of Service in the appropriate fields and also upload the icon of your site.
    If you have a company that does business in the European Union, you may want to fill in the Data Protection Officer Contact Information form before clicking on Save Changes.

  6. At the bottom of the page click on :heavy_plus_sign: Add Platform and select Website

  7. Enter your Discourse URL here, for example and click Save Changes

  8. Click on the Status button to change your app from in development to public.

    The category you select does not matter.

    After a few seconds the button will become:

  9. In Discourse site settings, enter your Facebook app’s App ID and App Secret in the facebook app id and facebook app secret fields. You’ll also want to check off Enable Facebook authentication, requires facebook_app_id and facebook_app_secret

That’s it! Facebook login should work now. Be sure to test it from a “normal” Facebook account, not your developer account.


If the Facebook app API is updated, or the app ID/secret are change, you’ll need to remove existing associations from your site before users can log in again. To remove this data, run the following:

cd /var/discourse
./launcher enter app
rails c
UserAssociatedAccount.where(provider_name: "facebook").delete_all

If you are a Discourse hosting customer, contact @team and we can assist.

Guidance on creating a Facebook Single-Sign-On
Moving over Facebook Group (not an import question)
Exisiting member unable to login via Facebook
How To Fix / Remove All Facebook Logins For Updated AppID
Facebook new oauth policy
Facebook/google and also twitter login error
Use SSL OAuth Redirect URLs
User should be able to login without verification
SSL Problems with Facebook-Auth
[Paid] Discourse configuration changes
Configure oauth callback urls
(RBoy) #73

Got this message today. Suggestions on what need to be done here?

App Review required by August 1, 2018 to retain access to Facebook Platform APIs

The Facebook App Review process and API permissions model have been updated. Learn more.

In order to maintain your current API access, your app will need to be submitted for review by August 1, 2018. If your app is not submitted for review, you will lose access to these permissions and features.

  • user_friends

  • user_link

  • user_gender

  • user_age_range

The Facebook Platform APIs have been updated with these changes. Please review the FAQ to ensure you request the correct permissions and features with your app review submission.

If access to the permissions and features is approved, the app may need to be associated to a verified business to complete App Review.

(Steve Combs) #75

The FB announcement states:

If your app is not submitted for review, you will lose access to these permissions and features.

  • user_friends
  • user_link
  • user_gender
  • user_age_range

The FB submission process lists the following “default” Login Permissions.


Provides access to the person’s primary email address. This permission is approved by default.


Provides access to a person’s name and profile picture. This permission is approved by default.


Provides access to a person’s list of friends that also use your app. This permission is approved by default.

I believe Discourse is fine with the default Login Permissions, so doing nothing will have no impact. Fingers crossed.

(RBoy) #76

Maybe @codinghorror can confirm

(Jeff Atwood) #77

We don’t use any of those fields, never have, so I don’t know why it would matter. As @scombs said.

(Steven) #78

I have the same message, then I got curious and created a new app, but now you can only use API version 3.0 which seems to be not compatible with Discourse v2.0.0.beta10 +5 like here

(Jeff Atwood) #79

I believe it is compatible but you have to erase all the old FB tokens, @jomaxro can clarify.

(Joshua Rosenfeld) #80

Correct, the commands shared by @sam in How To Fix / Remove All Facebook Logins For Updated AppID are neccessary after updating/changing the FB app. I’ll edit the commands into the guide above tomorrow.

(RBoy) #81

@codinghorror , would like clarify a few things here:

  1. If we don’t change the Facebook app and continue to use the existing app, FB will revoke the permissions I mentioned above and as I understand that information is not used by Discourse. So will things continue to function after they revoke access or do we need to create a new Facebook app?
  2. If one follows the instructions in the link posted by @jomaxro and nuke all the existing FB user information, does that mean existing users will need to sign up again? Will there be any impact to existing users?
  3. From a Facebook/Social media perspective we need to disclose what information is collected about the users (GDPR). So what fields are used by the Facebook integration?
1 Like
(Joshua Rosenfeld) #82

Everything will continue to function. Discourse never used the extra information that it was apparently receiving, so not receiving it won’t change anything.

No, users won’t see a difference, they’ll continue to sign in as usual. We link accounts via email, so as long as they haven’t changed their FB email, nothing changes.

Full name, email, and profile picture (avatar).

(Arnon Axelrod) #84

I can’t find “Create or Add a New App” on Is the site changed, or maybe I have to first create a developer account?
I clicked the “Get Started” link in to the top menu, but after filling in the App Name and Contact email and clicking Next, the “Next” button becomes disables and nothing else happen.

(Daniela) #85

You should login with your facebook credentials, after that you will see a popup for create a new dev account. There is a wizard to follow

(Daniela) #86

Guide updated with the new initial steps, I also added a note about the GDPR (step 5)


I got this error message when I try to connect with my facebook account:

Insecure Login Blocked: You can’t get an access token or log in to this app from an insecure page. Try re-loading the page as https://

Is it because I have to use httpS for my discourse forum? I’m currently using a http address

(Jeff Atwood) #88

Yes, that is the reason.


Ok thanks.

I think this sentence is misleading then

obviously, replacing the domain with your site’s actual domain name and matching the correct protocol, http or https

When I read it I understood that htttp was compatible with facebook login

(Jeff Atwood) #90

Sure that may have been true in 2014. We will update the docs!

1 Like

I needed one step more, described in How to add Sign Up with Facebook (OAuth) Option to Forum - Detailed Verified Steps • Crunchify as Step 3

(Daniela) #95

The only difference that I can see is that they have enabled also Login from devices.

Client OAuth Login and Web OAuth Login are already enabled by default.

Are you referring to this?


sry, my fault @Dax