[Bug]: Facebook Provider Not Supported?

[SummonerBJ]

Preflight Checklist

• [x] I could not find a solution in the documentation, the existing issues or discussions
• [x] I have joined the ZITADEL chat

Environment

ZITADEL Cloud

Version

No response

Database

None

Database Version

No response

Describe the problem caused by this bug

1.Use Identity Provider Facebook use OAUTH found exception http status not ok: 400 Bad Request {"error":{"message":"An active access token must be used to query information about the current user.","type":"OAuthException","code":2500,"fbtrace_id":"A9FuRyZq-o4BeQrxtOmks19"}}

use OIDC Post "": unsupported protocol scheme ""

 Are there any other solutions available？

To reproduce

SSO use Facebook

Screenshots

No response

Expected behavior

No response

Operating System

No response

Relevant Configuration

No response

Additional Context

No response

[elinashoko]

Hey @SummonerBJ we don't provide an out-of-the-box template for Facebook, if it's OIDC or OAuth compliant, it should just work. We'll check and confirm if Facebook is compliant, if it is - this might be a bug, if not - we might have to provide a new template for Facebook.

[cringoleg]

Hey, i have successfully integrated facebook OAuth (via generic OAuth provider) by fixing the request headers with nginx. First you have to spin up nginx and make it accessible by your zitadel instance. You have to configure a new provider in zitadel Default Settings -> Identity Providers -> Generic OAuth.

Let's say you have a domain for nginx nginx-instance:8081. Then, your provider configuration should look like so:

Authorization Endpoint
https://www.facebook.com/dialog/oauth

Token Endpoint
http://nginx-instance:8081/oauth/access_token

User Endpoint
http://nginx-instance:8081/me

ID Attribute
id

FB has different naming for profile scope - you should replace the profile scope (under the setting optional -> Scopes List) with public_profile.

Here's the nginx config that does all the dirty work:

worker_processes 1;

events {
    worker_connections 1024;
}

error_log /var/log/nginx/error.log debug;

http {
    resolver 1.1.1.1 ipv6=off;

    # Selectively rewrite only lowercase bearer
    map $http_authorization $fixed_auth {
        "~*^bearer (.+)" "Bearer $1";   # Only rewrite lowercase "bearer"
        default          $http_authorization;  # Leave others untouched
    }

    log_format auth_debug '$remote_addr - $host [$time_local] '
                          '"$request" $status '
                          'Auth="$http_authorization" '
                          'FixedAuth="$fixed_auth" '
                          '"$http_user_agent"';

    access_log /var/log/nginx/access.log auth_debug;

    server {
        listen 8081;
        listen [::]:8081;
        set $fb_host graph.facebook.com;

        location / {
            proxy_pass https://$fb_host$request_uri;

            proxy_ssl_server_name on;
            proxy_ssl_name        $fb_host;
            proxy_ssl_verify      on;
            proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

            # Set the rewritten header only if needed
            proxy_set_header Authorization $fixed_auth;
            proxy_set_header Host         $fb_host;

            proxy_set_header X-Real-IP       $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_set_header Accept-Encoding "";  # Easier to debug response
        }
    }
}

[zifter]

Hi, everyone!

It looks like Facebook supports OIDC tokens only via Limited Login: https://developers.facebook.com/docs/facebook-login/limited-login/token/

According to the well-known configuration, the only supported token type is id_token: https://www.facebook.com/.well-known/openid-configuration/

However, ZITADEL currently requests response_type=code, even though this value isn’t listed in the well-known configuration. Since Facebook supports the code flow only for a different login method, it returns a response that causes ZITADEL to proceed with a token exchange request — but because the token_endpoint is empty, we end up with the following error:

Post "": unsupported protocol scheme ""

[darioef]

Hey, i have successfully integrated facebook OAuth (via generic OAuth provider) by fixing the request headers with nginx. First you have to spin up nginx and make it accessible by your zitadel instance. You have to configure a new provider in zitadel Default Settings -> Identity Providers -> Generic OAuth.

Thank you @cringoleg ! It worked great!

If it helps, I wanted to add that Facebook only returns id and name by default. If you want Facebook to return other fields, you have to request them explicitly using the fields parameter in the /me endpoint.

For example: http://nginx-instance:8081/me?fields=id,name,email,first_name,last_name