I recently encountered this error when also using the FB JS SDK with omniauth-facebook.
I fixed it by sending the signed_request parameter with the GET as shown below:
$(document).bind("fb.loaded", function() {
FB.getLoginStatus(function(response) {
console.log('FB STATUS: ' + response.status);
if(response.status == "connected") {
console.log("FB AUTHED");
location.href="https://stackoverflow.com/auth/facebook/callback?" +
$.param({ signed_request: response.authResponse.signedRequest })
});
}
});
});
The scenario occurs when a user visits your site when already logged into FB but not your site. One often needs to sign the subsequent request to the omniauth callback:
Request URL:
http://localhost:3000/auth/facebook/callback?signed_request=QXZa2TPs8JiSgSAQkrS7Y7ObPZQDYLcU_JNvD6Wru_o.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiJBUURjQXdZUdVOMEFmd1RCbjRDQWp4eHpKcWRoRllOS1owLVZpa2pKTUQxSU1UbHJzbmEyMVNUUUtOLWl6b1dJOXJVRWUyWTBNd3ViZ1JxcmZJQmVMRDNOREI2M1EwREtqVzJCeVxTU2ZMR1foWlVwOEVlX0dMVUtwYUlqcWlaQ2FSc1h5c0NBNHdyZDBxbk4taU1haWp2cVFIX19QdUhxaldFcUtYZDc1LS1oZmptcTg4QVVuemVJdDJ4S2VOd3VPZG9vOGtaQkZlZmctZ2FDMk9CNl8wZ24iLCJpc3N1ZWRfYXQiOjEzNTg5NzQ4NzMsInVzZXJfaWQiOiIxMDYwMTg4NyJ9`
If using AJAX, you would need something like this:
$.get(
'/auth/facebook/callback',
{ signed_request: response.authResponse.signedRequest },
function(json) {
alert("received logged in response");
});