Facebook complains about my integrated login violating policy

  • Greetings!

    I have been using Facebook integration for logins on my web page for a few weeks now, but I just got an email that says that I'm not complying with their platform policies.

    Specifically "Platform Policy 8.1: Verify that you have integrated Login correctly. Your app shouldn't crash or hang during the testing process."

    They don't give a lot of information. I replied back and requested more. Also, I started working through the list of login flow cases they provided at https://developers.facebook.co…/testing-your-login-flow/

    I had a problem with "2. Someone logs in with Facebook after previously logging in via a non-Facebook flow with the same email address" It gives me an error "You have provided an incorrect or invalid username or password." when I try to log in with Facebook after using my email address previously.

    I went ahead and asked Facebook for more information about they problem they found.

    I have 2 instances of EQDKP running on my server. The second is for WoW Classic and is running at /classic/. Both are using EQDKP v2.3.14. Linux VPS with kernel-4.9.16 Apache-2.4.39, PHP-7.2 and Mysql-5.7.26. Both EQDKP instances are bridged to each other.

    I have 2 Facebook developer app entries. One is pointed at each instance of EQDKP, but I've only got a complaint about the top level one. The one for classic hasn't been complained about, but I tested it and it fails the same way. Can't login with Facebook after using your email address to register. For what it's worth, Discord integration also fails in the same way.

    Is there anything I can do to make this work properly?

  • As long as Facebook can not provide a detailed reason we might do not comply with their policy, there is nothing I can do.

    Also, it is clear that if a user registers with an email address, he cannot use the 3rd party login provider, as the 3rd party account is not connected with the EQdkp Plus account. We make this for security reasons, as I do not trust any email address. Therefore, a valid session is required for connection the 3rd party account, to make sure that there is an authentication. Otherwise you have to trust every system that the email address is verified.

    To be honest, the Facebook policy is some kind of s***, they should fix their own security and privacy before complaining about the high security integration of their APIs...

    Viele Grüße,

    Bitte sendet mir keine unaufgeforderten Support-PNs. | Please don't send me unwanted support-PMs.
    Du willst dich bei mir bedanken: | You want to thank me:

    amazon_wishlist.jpg paypal_logo.jpg

  • I'm with you on the Facebook security. I don't mind if they cancel my API access or whatever.

    I've asked them for more details, we will see what happens.

    Thank you for the information about the situation with all of this.

  • Ok, I got some closure on this.

    First off, 'bendover' made an account on my site from Facebook email address. He emailed me a screen shot of the error with no explanation of how he got there.

    I emailed Ben back and said it works for me, asking for specific steps to reproduce the error.

    On Friday, I got the reply "Thanks for working with me to fix your app" and the case is closed.

    Not really what I'd call professional work, but it is what it is.