Be careful with latest PHP SDK v3.2.2 on appsecret_proof

Recently, one of my colleagues had updated his app to use the latest PHP SDK.

Everything worked fine but suddenly, for our batch processing in sending app to user notification, we started receiving “Invalid appsecret_proof provided in the API argument” error message from Facebook on 17Jul.

After checking, I found that the latest PHP SDK will now include the appsecret_proof parameter in the OAuth request if the access_token parameter is there.  The corresponding code from base_facebook.php is shown below,

protected function _oauthRequest($url, $params) {
  if (!isset($params['access_token'])) {
    $params['access_token'] = $this->getAccessToken();
  }

  if (isset($params['access_token'])) {
   $params['appsecret_proof'] = $this->getAppSecretProof($params['access_token']);
  }
.
.

In the previous version of the PHP SDK, I would say that for most cases, the appSecret that we set whe instantiating the famous $facebook object is of no practical use if we are going to explicit pass the access_token (which can be stored earlier when we built the user session) in the request sent to Facebook.  However, this is no longer use now.

So, make sure you are setting the appID and appSecret properly before you send out any request.  This is particular true for batch processing when the PHP script is processing requests/records for different apps by using looping.

While the issue was caught and handled at our end.  I found that there is actually an option “Require AppSecret Proof for Server API calls” within the Facebook App Setting Advanced page.   When we were having the problem, this option was disabled actually and I would therefore expect that no appscret_proof checking is to be performed at the Facebook end even this parameter is included in the request.  A bug report had been opened for this.

Also, I would say that there is actually no need to have the PHP SDK to calculate the appsecret_proof (which eat up CPU cycles of the server) if we are not going to perform the checking.  Another bug report had been opened also and I would say this is a feature request on the PHP SDK.

I hope that by reading this article, you now know something about the appsecret_proof.

And if you are asking me where you can find more information about this appsecret_proof, my answer is that there is not yet any official Facebook documentation on this in their doc site.

This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

2 Responses to Be careful with latest PHP SDK v3.2.2 on appsecret_proof

  1. Pete says:

    This is great info but you don’t tell us HOW you solved the problem.

    • takwing says:

      just comment the following code (which was mentioned in my original blog post):

      //if (isset($params[‘access_token’])) {
      // $params[‘appsecret_proof’] = $this->getAppSecretProof($params[‘access_token’]);
      // }

Leave a Reply to Pete Cancel reply

Your email address will not be published. Required fields are marked *