Skip to content
This repository has been archived by the owner on Nov 23, 2020. It is now read-only.

The Missing OAuth2 Manual

Jump to bottom
sbaechler edited this page Sep 25, 2011 · 4 revisions

#The Missing OAuth2 Manual

Introduction

On October 1st Facebook will be switching to OAuth 2.0. While they did update their PHP API, they did not update their Python API. So after October 1st it will no longer work. The documentation from Facebook on what exactly changes is sparse: https://developers.facebook.com/blog/post/525/. While updating the Python API to OAuth 2 I discovered some more changes under the hood that were not documented.

The Javascipt SDK

The changes here are mainly annoying. Almost all of the attribute name changed. The first in the fb:login-button: For the permissions you now have to write scope instead of perms. The function FB.getLoginStatus(function(response){log(response)}) used to respond the following object:

{'session': { 'uid': 'USER_ID', 'access_token': 'ACCESS_TOKEN', 'base_domain': 'BASE_DOMAIN',
               'expires': TIMESTAMP, 'secret': SOME_CODE, 'session_key': 'SESSION_KEY', 'sig': 'SOME_CODE' },
 'status':'connected' }

Now it will respond:

{'authResponse': { 'accessToken': 'ACCESS_TOKEN', 'expiresIn': TIMEDELTA(s), 'signedRequest': 'SIGNED_REQUEST',
                   'userID': 'USER_ID' }
 'status': 'connected' }

Finally, the event auth.sessionChange is replaced by auth.authResponseChange.

The API

The most siginificant change here is that the Cookie set by the JavascriptSDK changed completely. So the funciont get_user_from_cookie() will fail. Until now the JavascriptSDK set a cookie named fbs_<APP-ID> that contained an encrypted user id and access token. Now the cookie is named fbsr_<APP-ID> and it contains the signed request. When you parse that signed request you will not immediately get the acces token but a code that needs to be authenticated again with facebook. The method is almost the same as with the signed request from the standard login but not quite. The redirect_uri must be an empty string. And any " need to be removed. The user id is still directly available in the signed request:

{u'issued_at': 1316611903, 
 u'code': u'2.AQB0gn0ueVWMpj-c.3600.1316617200.1-684450912|RTJur1Zmr__4d4uX5vg25tc1X4M', 
 u'user_id': u'<USER-ID>', u'algorithm': u'HMAC-SHA256'}

The response from the authentication changed as well. Before it was a URL-Encoded string containing the access token. Now it also contains an expires value: The amount of seconds the token is valid. It looks something like this:

access_token="AAADYZBFNocBMBAK8ZCACj5udCF6Cqj.....2CljZAk1xX4rd9quEoXTygZDZD"&expires=6295
Clone this wiki locally