Heroku hosted Rails 3.2.2 app using Devise and Omniauth.
I'm currently getting the facebook userid via post when opening the app. If the user exists, I automatically log them in and it all works peachy. If they don't, I redirect them to
user_omniauth_authorize_path(:facebook)
Which gets "/users/auth/facebook" - and the Facebook 'permissions request' dialog. If the user accepts, OmniauthCallbacksController#facebook is called, which signs the user in and redirects them to the app's home page. But on that last redirect, they are being redirected out of the Facebook iframe.
I'm out of ideas as to why this is taking me out of the iframe. Any suggestions?
Minor correction, I don't ask new users to authenticate automatically. They have to press a button to engage with the site before being asked for permissions.
In your omniauth.rb initializer, put
OmniAuth.config.full_host = "http://apps.facebook.com/canvas_url/"
Trailing / was necessary if I remember correctly.
This should keep you within the Facebook frame.