Server Side changes for Facebook’s OAuth 2.0 upgrade


This is our second post on OAuth 2.0, and covers server-side changes. To see our previous post on changes to Facebook’s Javascript SDK, read here.

Facebook is upgrading their platform authentication system to OAuth 2.0. During the transition time, both the new system and the old system are supported, however, starting October 1st, 2011 the old authentication system will no longer be supported. Any apps that depend on it will stop working.

The main differences are that the cookie format has changed significantly and that the prior way of verifying the signature and obtaining an access token has changed:

Instead of using MD5 to sign the cookie, they are now using the more secure SHA256.
The access_token is not stored in the cookie directly; instead, you have to make a separate REST call to retrieve the access_token using information stored in the cookie and your Facebook App secret. The documentation here for the server side flow is mostly accurate, though one key detail changes when you’re using the FB JS to obtain the code instead of doing everything server side: the content of the redirect_url.

If you put a login button on your site using FBML, or use FB.login, then when the user logs in to your site, Facebook drops an OAuth 2.0 style cookie. That cookie contains the following information in the signed request format:

{
    "algorithm": "HMAC-SHA256",
    "code":"xxxxxxx",
    "issued_at":1315979667,
    "user_id":"yyyyyyy"
}

Here is more information on the signed request and how to verify the signature.

That code is the code that you will use to make the call to the access_token endpoint as specified in the authentication guide linked to above. However, the key point that is documented in the FB PHP SDK is that the FB JS sets the redirect_uri to the empty string. (If you’re really curious, see the PHP SDK on line 347 from the version available on 9/19/2011. It might have moved slightly thereafter, and is copied below.)

Specifically, when you make a call to this endpoint, use ” as your redirect_url, not your actual url. If you use your url, this will fail.

https://graph.facebook.com/oauth/access_token?
     client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&
     client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE

becomes:

https://graph.facebook.com/oauth/access_token?
     client_id=YOUR_APP_ID&redirect_uri=&
     client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE

This call will get you the access token which allows you to use the FB Graph API as you had before.

Here’s the snippet of code from the PHP SDK:

      // the JS SDK puts a code in with the redirect_uri of ''
      if (array_key_exists('code', $signed_request)) {
        $code = $signed_request['code'];
        $access_token = $this->getAccessTokenFromCode($code, '');
        if ($access_token) {
          $this->setPersistentData('code', $code);
          $this->setPersistentData('access_token', $access_token);
          return $access_token;
        }
      }

Good luck to everyone on the October 1st deadline!


Sociable Labs is hiring! – Come join our team of world-class engineers and help define the field of social commerce!


4 Comments on “Server Side changes for Facebook’s OAuth 2.0 upgrade”

  1. Anonymous says:

    thanks man!

  2. noambenami says:

    Actually, the developer who wrote this article is a woman. :)


Thoughts? Share them with us!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.