Facebook App – Moving to OAuth 2.0 + HTTPS

Faecbook has recently announced its plan that all facebook applications have to move to OAuth 2.0  + HTTPS by 1 Oct!

To highlight, the plan is:

  • July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
  • September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
  • October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.

Interesting enough, Facebook said that

Over the past few weeks, we determined that OAuth is now a mature standard with broad participation across the industry. In addition, we have been working with Symantec to identify issues in our authentication flow to ensure that they are more secure.

In fact, because of the famous “invalid access token” issue that happened recently, I have already enable OAuth 2.0 for ALL my application.  What’s a nice move in kicking off the migration!  🙂

As a preparation, I would also suggest reviewing your apps and

  • if you are using the old Authentication flow, then try migrate your app to use the PHP SDK and Javascript SDK for authentication.
  • review the code so that the apps do not work on the fb_sig unless it is the only way.  Yet, you still have to find a way to deal with that when fb_sig is removed.

For details, please see the original announcement from Facebook here.

 

This entry was posted in Authentication, Development Tips, news and tagged , , . Bookmark the permalink.

3 Responses to Facebook App – Moving to OAuth 2.0 + HTTPS

  1. Pingback: Facebook kicks Ads provider’s Ass by Moving to OAuth 2.0 + HTTPS? | Wing's Blog on Facebook Development & Virtualization

  2. Gretchen says:

    I basically learned about virtually all of this, but having said that, I still assumed it was beneficial. Sweet task!

  3. superb post.Never knew this, thankyou for letting me know.

Leave a Reply

Your email address will not be published. Required fields are marked *