Some Facebook OAuth users emails null

I am using asp.net core facebook oauth. Some users are signing up with it and their email addresses are null.

I am using these settings:

"oauth.facebook.Permissions": [ "email" ],
"oauth.facebook.Fields": [ "id", "email", "first_name", "last_name" ],

Any idea why some accounts have a null email field?

I’ve Googled and found:

i.e. Facebook wont forward unconfirmed email addresses.

1 Like

Ahh thanks for the help, I missed that.

Also, I don’t know if you could help me with another question please? In user auth table there is email and primary_email. Is the logic that email is used for the login and primary_email is a field in-case they want alerts to go to a different email that their login email so you can store 2 separate email addresses? I couldn’t find any mention of it in docs.

Yes Email is used for signing in whilst PrimaryEmail is another placeholder that can be used if they prefer to have emails sent to another address.

1 Like

We had this issue a while back. We required users to have an email and therefore rejected users whose email was not provided with the following check when adding the facebook auth plugin:

new FacebookAuthProvider(AppSettings)
                        {
                            CustomValidationFilter = authCtx => FacebookCustomValidator(authCtx)
                        }

private IHttpResult FacebookCustomValidator(AuthContext authCtx)
        {
            if (authCtx.AuthTokens.Email.IsEmpty())
                return authCtx.Service.Redirect(authCtx.Session.ReferrerUrl.AddHashParam("f", "EmailIsRequired"));

            return null;
        }
2 Likes

@kebin How do you test this?

I’m not sure how this can be tested programmatically but manually: as a Facebook user you can edit and decline certain permissions. Decline “email” permission on the Facebook’s login/sign/consent up flow page. Here’s a link to Facebook’s dev docs to how testing might be bit easier.

When a user declines “email”, they can then be redirected to a url of your choice(with a friendly message of why their request was declined) by simply returning:

return authCtx.Service.Redirect(urlOfYourChoice);

This will also work for existing users, i.e the ones that are already in your system without emails. They will be taken to the same redirected url.

@kebin
This works. But do you know (by any chance) if there is a way to display the Facebook login screen again (via the redirect) of maybe remove the app permissions automatically?

At the moment I show a ‘how to’ to the user, but this is far from ideal…

OK, found the way to do it:

private IHttpResult FacebookCustomValidator(AuthContext authCtx)
{
  if (authCtx.AuthTokens.Email.IsEmpty())
  {
    var redirectUrl = FacebookAuthProvider.PreAuthUrl
      .AddQueryParam("scope", "email")
      .AddQueryParam("auth_type", "rerequest")
      .AddQueryParam("client_id", "YOUR_APP_ID")
      .AddQueryParam("redirect_uri", new RequestObjectTeRedirectTo().ToAbsoluteUri());
   // first redirect to the login page to explain what happened and show the redirectUrl on that page
    var loginUrl = new LoginRequest { Platform = "facebook", Redirect = redirectUrl, RequireEmail = true };

    return authCtx.Service.Redirect(loginUrl.ToAbsoluteUri());
  }
  return null;
}
1 Like

You could probably do this via app as well from within the FB.