Rails Facebook login error with omniauth-facebook - OmniAuth::Strategies::OAuth2::CallbackError

Question

I'm trying to make Facebook login with omniauth-facebook in Rails 3.2.9; I have followed the steps of Ryan Bates in http://railscasts.com/episodes/360-facebook-authentication and in this very moment I have the same code.

If I try to login without the Javascript it works (it takes me to Facebook, I grant the permissions, and gets me back to the app successfully), but if I try with the Javascript (for the Facebook popup) it initially shows the popup to login, but then makes a redirect and throws me this error (without asking for the permissions):

Started GET "/auth/facebook/callback" for 127.0.0.1 at 2012-11-16 15:16:03 -0600
(facebook) Callback phase initiated.
(facebook) Authentication failure! invalid_credentials: OmniAuth::Strategies::OAuth2::CallbackError, OmniAuth::Strategies::OAuth2::CallbackError

OmniAuth::Strategies::OAuth2::CallbackError (OmniAuth::Strategies::OAuth2::CallbackError)

This is a very common error; I made the research and tried all the solutions (mostly are from some months ago) but none of them work. This is what I have tried:

1. Checking the sandbox in Facebook is disable (and I have waited hours for the propagation)
2. Checking the Site URL to http://localhost:3000/
3. Checking the App ID and App Secret
4. Downgrading the omniauth-facebook gem to 1.4, and throws me this error: omniauth-facebook must pass either acodeparameter or a signed request (viasigned_requestparameter or afbsr_XXXcookie)
5. Downgrade to Rails 3.2.8

What else should I do? (I think the key is in the Javascript, and right now I have the same code of the video, with CoffeeScript). Thanks in advance!

Answer 1

I followed that Railscast just now and managed to get it working. You'll notice people discussing your problem in the comments. Following the links there, I ended up on this issue on Github and this question on StackOverflow.

I recommend updating to 1.6.0 and to 2.0.0 when it finally comes out. In the meantime, make sure you aren't making any of these mistakes:

• Defining your app credentials in two different initializers, usually omniauth.rb and devise.rb. source

• Having a domain name mismatch between your live site and the site url configured within your facebook application. source

• Leaving the facebook application in sandbox mode, so the domain name doesn't match the production one. source

• Adding a before_filter :authenticate to the OmniauthCallbacksController or ApplicationController (since OmniauthCallbacksController inherits from ApplicationController). source

• Using omniauth-facebook in conjunction with Facebook's client-side flow. source

• Messing with the state param.