Some Facebook OAuth users emails null

DigitalReach · November 26, 2018, 3:44am

I am using asp.net core facebook oauth. Some users are signing up with it and their email addresses are null.

I am using these settings:

"oauth.facebook.Permissions": [ "email" ],
"oauth.facebook.Fields": [ "id", "email", "first_name", "last_name" ],

Any idea why some accounts have a null email field?

mythz · November 26, 2018, 5:46am

I’ve Googled and found:

i.e. Facebook wont forward unconfirmed email addresses.

DigitalReach · November 26, 2018, 12:56pm

Ahh thanks for the help, I missed that.

Also, I don’t know if you could help me with another question please? In user auth table there is email and primary_email. Is the logic that email is used for the login and primary_email is a field in-case they want alerts to go to a different email that their login email so you can store 2 separate email addresses? I couldn’t find any mention of it in docs.

mythz · November 26, 2018, 2:07pm

Yes Email is used for signing in whilst PrimaryEmail is another placeholder that can be used if they prefer to have emails sent to another address.

kebin · December 3, 2018, 11:25pm

We had this issue a while back. We required users to have an email and therefore rejected users whose email was not provided with the following check when adding the facebook auth plugin:

new FacebookAuthProvider(AppSettings)
                        {
                            CustomValidationFilter = authCtx => FacebookCustomValidator(authCtx)
                        }

private IHttpResult FacebookCustomValidator(AuthContext authCtx)
        {
            if (authCtx.AuthTokens.Email.IsEmpty())
                return authCtx.Service.Redirect(authCtx.Session.ReferrerUrl.AddHashParam("f", "EmailIsRequired"));

            return null;
        }

Rob · December 4, 2018, 3:00pm

@kebin How do you test this?

kebin · December 4, 2018, 4:12pm

I’m not sure how this can be tested programmatically but manually: as a Facebook user you can edit and decline certain permissions. Decline “email” permission on the Facebook’s login/sign/consent up flow page. Here’s a link to Facebook’s dev docs to how testing might be bit easier.

When a user declines “email”, they can then be redirected to a url of your choice(with a friendly message of why their request was declined) by simply returning:

return authCtx.Service.Redirect(urlOfYourChoice);

This will also work for existing users, i.e the ones that are already in your system without emails. They will be taken to the same redirected url.

Rob · December 6, 2018, 8:50am

@kebin
This works. But do you know (by any chance) if there is a way to display the Facebook login screen again (via the redirect) of maybe remove the app permissions automatically?

At the moment I show a ‘how to’ to the user, but this is far from ideal…

Rob · December 6, 2018, 9:43am

OK, found the way to do it:

private IHttpResult FacebookCustomValidator(AuthContext authCtx)
{
  if (authCtx.AuthTokens.Email.IsEmpty())
  {
    var redirectUrl = FacebookAuthProvider.PreAuthUrl
      .AddQueryParam("scope", "email")
      .AddQueryParam("auth_type", "rerequest")
      .AddQueryParam("client_id", "YOUR_APP_ID")
      .AddQueryParam("redirect_uri", new RequestObjectTeRedirectTo().ToAbsoluteUri());
   // first redirect to the login page to explain what happened and show the redirectUrl on that page
    var loginUrl = new LoginRequest { Platform = "facebook", Redirect = redirectUrl, RequireEmail = true };

    return authCtx.Service.Redirect(loginUrl.ToAbsoluteUri());
  }
  return null;
}

kebin · December 6, 2018, 4:52pm

You could probably do this via app as well from within the FB.