Server Side changes for Facebook’s OAuth 2.0 upgrade

SociableLabs Team | Nov 27, 2019

This is our second post on OAuth 2.0 and covers server-side changes. To see our previous post on changes to Facebook’s Javascript SDK, read here.

Facebook is upgrading its platform authentication system to OAuth 2.0. During the transition time, both the new system and the old system are supported, however, starting October 1st, 2011 the old authentication system will no longer be supported. Any apps that depend on it will stop working.

The main differences are that the cookie format has changed significantly and that the prior way of verifying the signature and obtaining an access token has changed:

Instead of using MD5 to sign the cookie, they are now using the more secure SHA256.

The access_token is not stored in the cookie directly; instead, you have to make a separate REST call to retrieve the access_token using information stored in the cookie and your Facebook App secret. The documentation here for the server-side flow is mostly accurate, though one key detail changes when you’re using the FB JS to obtain the code instead of doing everything server-side: the content of the redirect_url.

If you put a login button on your site using FBML or use FB.login, then when the user logs in to your site, Facebook drops an OAuth 2.0 style cookie. That cookie contains the following information in the signed request format:


    "algorithm": "HMAC-SHA256",





Here is more information on the signed request and how to verify the signature.

That code is the code that you will use to make the call to the access_token endpoint as specified in the authentication guide linked to above. However, the key point that is documented in the FB PHP SDK is that the FB JS sets the redirect_uri to the empty string. (If you’re really curious, see the PHP SDK on line 347 from the version available on 9/19/2011. It might have moved slightly thereafter, and is copied below.)

Specifically, when you make a call to this endpoint, use ” as your redirect_url, not your actual URL. If you use your URL, this will fail.






This call will get you the access token which allows you to use the FB Graph API as you had before.

Here’s the snippet of code from the PHP SDK:

       // the JS SDK puts a code in with the redirect_uri of ''

      if (array_key_exists('code', $signed_request)) {

        $code = $signed_request['code'];

        $access_token = $this->getAccessTokenFromCode($code, '');

        if ($access_token) {

          $this->setPersistentData('code', $code);

          $this->setPersistentData('access_token', $access_token);

          return $access_token;



Good luck to everyone on the October 1st deadline!

About Author

SociableLabs Team

SociableLabs Team

SociableLabs team helps you explore your favorite product with genuine reviews that help you make smart choices. To cater to all your needs, our team curates the products from various niches and brings forward the information backed by extensive research.

Leave a Comment


Refer a Friend Programs with Guaranteed ROI

"Amazon, Amazon Prime, the Amazon logo and Amazon Prime logo are trademarks of, Inc. or its affiliates". AS AN AMAZON ASSOCIATE, WE EARN AFFILIATE COMMISSIONS FROM QUALIFYING PURCHASES.