Facebook Releases OAuth 2.0-Ready JavaScript SDK, Extends Migration Deadline to October 1st

Jul 21st, 2011
Applications, Development, Facebook

Today, Facebook announced the release of the new OAuth2.0-ready version of its JavaScript SDK. This will allow developers to create applications that securely pass User IDs and access tokens. Facebook has pushed back the deadline by which all developers must use the OAuth 2.0 standard from September 1st to October 1st. Facebook has also made some changes to the Developer app to support the migration.

The new JavaScript SDK should become available on Github tomorrow, at which point Facebook will update its reference documentation. Facebook is currently rolling out support for JavaScript OAuth 2.0 across its servers, and those that try upgrading before the roll out finishes may encounter errors.

Facebook experienced some security issues and public scrutiny when it was discovered that some iframe applications were leaking access tokens to unauthorized parties including advertisers. These access tokens could be used to perform actions or extract data from a user’s account without their consent.

While the actual risk to users was low, Facebook accelerated its roadmap for implementing the OAuth 2.0 standard in order to prevent this type of data leak. Facebook planned to have new versions of both the PHP and JavaScript SDKs available by July 1st, with completion of the migration to the security standard planned for July 1st. The PHP SDK was released early, but technical issues delayed the JS SDK’s release until today, prompting the deadline extension.

OAuth 2.0 support is opt-in to prevent breakage to apps before developers complete the transition. To enable it, Facebook explains that developers can include the an oauth parameter to FB.init and set it to true as in this example:

FB.init({
   appId : YOUR_APP_ID,
   // other parameters,
   oauth : true
});

Setting the parameter to false or omitting it will keep OAuth 2.0 disabled. For more details on how development differs between the old and new JavaScript SDK, see the release announcement blog post.

Facebook has made some modifications to the Developer app. The “OAuth 2.0 for Canvas setting” has been renamed “signed_request for Canvas” to clarify that when enabled, developers will received a signed_request parameter. An OAuth Migration setting has been added that when enabled indicates the developer has completed the migration to access tokens. Both setting default to disabled.

The Facebook Developer Roadmap now shows that by October 1st, all apps must use OAuth 2.0, expect encrypted access tokens, process signed_request, and have obtained an SSL certificate to allow HTTPS browsing. Once the JavaScript SDK is available, all developers should prepare for this deadline so they have plenty of time to work out bugs.

Facebook Marketing Bible - The Guide to Marketing your Brand, App, Website, or Content Inside Facebook

Leave a Reply

Inside Facebook Sponsors
Forrester report! Frima Qwaya Softlayer AvenueSocial Nanigans LifeStreet Shoutlet
Featured Company
Jobs of the Day

MacGillivray Freeman Films
Laguna Beach, CA

Kapture
New York, NY

More Research & Information from Inside Facebook

Sign up for free email updates beyond today's news.

 

Popular Right Now

Sponsor Highlights

Also from Inside Network:   AppData - Facebook & iOS Application Stats   PageData - Engagement Data on Facebook Pages   Facebook Marketing Bible   Inside Virtual Goods
WebMediaBrands
Mediabistro | SemanticWeb | Inside Network
Jobs | Education | Research | Events | News
Advertise | Terms of Use | Privacy Policy
Copyright 2012 WebMediaBrands Inc. All rights reserved.