Server Side changes for Facebook’s OAuth 2.0 upgrade

SociableLabs Team | Nov 27, 2019

This is our second post on OAuth 2.0 and covers server-side changes. To see our previous post on changes to Facebook’s Javascript SDK, read here.

Facebook is upgrading its platform authentication system to OAuth 2.0. During the transition time, both the new system and the old system are supported, however, starting October 1st, 2011 the old authentication system will no longer be supported. Any apps that depend on it will stop working.

The main differences are that the cookie format has changed significantly and that the prior way of verifying the signature and obtaining an access token has changed:

Instead of using MD5 to sign the cookie, they are now using the more secure SHA256.

The access_token is not stored in the cookie directly; instead, you have to make a separate REST call to retrieve the access_token using information stored in the cookie and your Facebook App secret. The documentation here for the server-side flow is mostly accurate, though one key detail changes when you’re using the FB JS to obtain the code instead of doing everything server-side: the content of the redirect_url.

If you put a login button on your site using FBML or use FB.login, then when the user logs in to your site, Facebook drops an OAuth 2.0 style cookie. That cookie contains the following information in the signed request format:

{

    "algorithm": "HMAC-SHA256",

    "code":"xxxxxxx",

    "issued_at":1315979667,

    "user_id":"yyyyyyy"

}

Here is more information on the signed request and how to verify the signature.

That code is the code that you will use to make the call to the access_token endpoint as specified in the authentication guide linked to above. However, the key point that is documented in the FB PHP SDK is that the FB JS sets the redirect_uri to the empty string. (If you’re really curious, see the PHP SDK on line 347 from the version available on 9/19/2011. It might have moved slightly thereafter, and is copied below.)

Specifically, when you make a call to this endpoint, use ” as your redirect_url, not your actual URL. If you use your URL, this will fail.

https://graph.facebook.com/oauth/access_token?

     client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&

     client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE

becomes:

https://graph.facebook.com/oauth/access_token?

     client_id=YOUR_APP_ID&redirect_uri=&

     client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE

This call will get you the access token which allows you to use the FB Graph API as you had before.

Here’s the snippet of code from the PHP SDK:

       // the JS SDK puts a code in with the redirect_uri of ''

      if (array_key_exists('code', $signed_request)) {

        $code = $signed_request['code'];

        $access_token = $this->getAccessTokenFromCode($code, '');

        if ($access_token) {

          $this->setPersistentData('code', $code);

          $this->setPersistentData('access_token', $access_token);

          return $access_token;

        }

      }

Good luck to everyone on the October 1st deadline!


About Author

SociableLabs Team

SociableLabs Team


Leave a Comment