Faecbook has recently announced its plan that all facebook applications have to move to OAuth 2.0 + HTTPS by 1 Oct!
To highlight, the plan is:
- July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
- September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
- October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.
Interesting enough, Facebook said that
Over the past few weeks, we determined that OAuth is now a mature standard with broad participation across the industry. In addition, we have been working with Symantec to identify issues in our authentication flow to ensure that they are more secure.
In fact, because of the famous “invalid access token” issue that happened recently, I have already enable OAuth 2.0 for ALL my application. What’s a nice move in kicking off the migration! 🙂
As a preparation, I would also suggest reviewing your apps and
- review the code so that the apps do not work on the fb_sig unless it is the only way. Yet, you still have to find a way to deal with that when fb_sig is removed.
For details, please see the original announcement from Facebook here.