JavaScript changes for Facebook’s OAuth 2.0 upgrade
Posted: September 16, 2011 Filed under: Engineering | Tags: Facebook, JavaScript, JS SDK, OAuth 2.0 6 Comments »
Facebook is upgrading their platform authentication system to OAuth 2.0. During the transition time, both the new system and the old system are supported, however, starting October 1st, 2011 the old authentication system will no longer be supported. Any apps that depend on it will stop working.
Update: Facebook missed their original cutoff date, however as of December 13, 2011, all apps are now forced to OAuth 2.0 and apps that depend on the older system no loner work.
Facebook initially announced this on May 10th, and later put out updated information once the various SDKs had been upgraded to support the new system. However, details on what code changes were necessary to support the new system were fairly limited.
This post covers every change we’ve come across so far to support OAuth 2.0 with FB’s JS SDK…
- In your
FB.init({...})options, add the newoauth: trueparameter to begin using OAuth 2.0 immediately. - In the response object that is passed to
FB.login()andFB.getLoginStatus()callbacks,sessionis nowauthResponse, and every single field has been renamed or removed.- The old response object looked like this:
{ "status":"connected", "session": { "access_token":"asdf", "uid":"1234", "expires":1315364400, "sig":"asdf", "base_domain":"mysite.com", "session_key":"asdf", "secret":"asdf" } } - The new response object looks like this:
{ "status": "connected", "authResponse": { "accessToken": "asdf", "userID": "1234", "expiresIn": 1315364400, "signedRequest": "asdf" } }
- The old response object looked like this:
FB.getSession()is nowFB.getAuthResponse(); the old method will throw an error.- The
auth.sessionChangeevent is nowauth.authResponseChange. Subscribing to the old event won’t throw any errors, but it won’t ever fire. - The “
notConnected” status is now “not_authorized“.- The three states of
response.statusare now “connected“, “not_authorized“, and “unknown“.
Note: As of 9/19/2011, Facebook’s documentation on this is incorrect – it still lists the “not_authorized” status as “notConnected”. There is a bug filed for this.
- The three states of
- In
FB.login(callback, options),options.permsis nowoptions.scope. If you include anoptions.perms, it will thrown an error. FB.login()andFB.getLoginStatus()no longer ever include the user’s permissions in the response object passed to the callback.- To work around this, do the following:
FB.api('/me/permissions', function(response){console.log(response.data[0]);})
In the callback,
response.data[0]will be a JS object along the lines of:{ "installed":1, "status_update":1, "photo_upload":1, "video_upload":1, "create_note":1, "share_item":1 } - If you need this to be synchronous, you could grab that once when the user first logs in and then store it locally. (This is useful to avoid the annoying popup window that
FB.login()opens and then immediately closes if the user has already granted you the requested permissions.)
- To work around this, do the following:
- The cookie name has changed from
'fbs_' + APP_IDto'fbsr_' + APP_ID, it’s content has changed to only include thesignedRequestfrom the newauthResponseobject, and it is now set for the session only.- (This is helpful in JavaScript for getting an idea of whether or not the user is logged in before FB’s JS SDK has loaded and initialized. The presence of this cookie generally means that the user is logged in and has authorized your app. However, it will initially be absent on the first pageview of each browsing session.)
We’ll have a follow-up post soon that covers the server-side of the upgrade.
Update: It’s posted: Server Side changes for Facebook’s OAuth 2.0 upgrade
Sociable Labs is hiring! – Come join our team of world-class engineers and help define the field of social commerce!
[...] necessary JS changes to support Facebook’s OAuth 2.0 upgrade that is being forced out on October 1st – read the details on the sociable labs blog [...]
[...] Source: JavaScript – Google Blog Search [...]
haiii to all, i am venkat from hyd. i forget to mygrate my facebook apps to oauth 2.0. presently i dont understand how to change and how to update. please share information to me. thanks in advance. waiting for u r reply.
Hi venkat, Like I said on the other post, I’m not sure for desktop applications. You might be able to find some good information on FB’s OAuth 2.0 Migration guide: https://developers.facebook.com/docs/oauth2-https-migration/ and also on their developer blog: https://developers.facebook.com/blog (Check the archives page – they don’t see to tag or categorize their posts, so you’ll just have to dig through and find the relevant ones yourself.)
Also worth mentioning, while FB originally stated that they were going to cut off the older auth methods and only allow OAuth 2.0 after October 1st, they missed their own deadline, at least for the JS SDK, and they haven’t announced a new one yet.
oauth2.0 is implemented in place, and a lot of people have issues logging in to a variety of sites that use oauth authentication. I am having issues wiht my current site too., has any got a fix for it yet.
Hi Vinod, To fix it, you’ll need to update your website to use the newer APIs. The posts here and on Facebook should have everything you need to know. If you have any specific questions, feel free to ask.