Neverending Facebook API changes
Believe it or not, facebook changed part of its api again. Since today, authorizing for iframe applications does not work the same way it used to. Previously it was enough to redirect:
https://graph.facebook.com/oauth/authorize
?client_id=268718683475
&redirect_uri=http://apps.facebook.com/blogoauthgraph/
&scope=publish_stream,user_photos,user_photo_video_tags
… where facebook authorized your app and redirects back to the:
http://apps.facebook.com/blogoauthgraph/
?session=123456...
… where session was valid access_token.
Since today the mechanism changed into something like this:
https://graph.facebook.com/oauth/authorize
?client_id=268718683475
&redirect_uri=http://apps.facebook.com/blogoauthgraph/
&scope=publish_stream,user_photos,user_photo_video_tags
… redirects you to the:
http://apps.facebook.com/blogoauthgraph/
?code=2.YndguK...
… while you do not have valid session (access_token), you have to do the following request:
https://graph.facebook.com/oauth/access_token
?client_id=268718683475
&redirect_uri=http://apps.facebook.com/blogoauthgraph/
&client_secret=YOURSECRET
&code=2.YndguK...
… now facebook responds with:
access_token=268718683475|2.Yndgu...&expires=86183
Notice, this is the response, not the redirect! Now its time to grab the access_token and use it in your app. This change has direct impact on Authorizing Iframe Facebook Applications For Graph API article.
There have also been some other unannounced changes e.g. in facebook app settings in migrations tab “Remove fb_sig” toggler…
Credits goes to my readers Adam Cousins, David Bardos, Garcimore, Etienne for noticing the changes.
I have just spotted quick fix. All you need to do is add type=user_agent into your auth request:
https://graph.facebook.com/oauth/authorize
?client_id=268718683475
&redirect_uri=http://apps.facebook.com/blogoauthgraph/
&scope=publish_stream,user_photos,user_photo_video_tags
&type=user_agent
… now facebook redirects you to:
http://apps.facebook.com/blogoauthgraph/
?access_token=123456...
&expires_in=86729
This token is valid! I have updated the article with this quickfix.
updated Jul 22, 2010: Facebook rollbacked the change and added “Canvas Session Parameter” parameter in facebook app settings / Migrations tab. With this setting enabled, your apps should work normally as they previously did.
Thanks for the update – much appreciated. I tried the quick-fix but it didn’t seem to work. My page just keeps redirecting back and forth. Do I also need to worry about the “Remove fb_sig” or any of the other settings?
Nevermind the last comment – I made the change to line 51 of my html but not line 36 😛
All good now 😉 Thanks!
Thanks so much for the quick fix and for responding quickly.
Cheers
Adam
Have you the link with the announcement from facebook of all changes ?
@miguelMoraleda, I wish something like that existed… but I am unable to find any valid source
You are fast, mate! 🙂
cheers
One things that’s been concerning me.
In order to request an access_token we need to pass across the client secret, which means getting it into the flash app somehow.
At the moment I am compiling the app with the secret embedded and getting everything else dynamically, is this a security risk? Maybe i’m missing something?
Cheers
Toby
@Toby, you do not need secret for logging in with FacebookOAuthGraph http://blog.yoz.sk/2010/05/facebook-graph-api-and-oauth-2-and-flash/
Ok so my understanding of your approach is this:
Your FacebookOAuthGraph uses ExternalInterface to popup a call to /oauth/authorize which calls callback.html which in turn calls confirmConnection with an access_token.
I think I realise that your approach relies on the ‘Canvas Session Parameter’ being enabled, do you think this is good practice as it seems to bypass the code > access_token call.
Am I right in thinking that if I enabled ‘Canvas Session Parameter’ then I would not need the call to /oauth/access_token since /oauth/authorize would return the access_token direct (instead of an intermediate code).
Cheers
Toby
@Toby there are two types I use:
1. standalone app, opens popup “/oauth/authorize” + “type=user_agent”, fb redirects you to your callback with #access_token=123 (url hash)
2. I use “Canvas Session Parameter” enabled for iframed application. here the auth process goes by redirecting (no popup): my iframe app –(need token?)–> /oauth/authorize –> my iframe app (session param passed into iframe as GET)
… now for iframed apps you have alternative choices:
1. use type=user_agent and facebook pushes access_token as GET param into iframe
2. make auth call without type=user_agent and facebook pushes session GET param into iframe (Canvas Session Parameter enabled required)
I do not use /oauth/access_token, I find it useless while the mentioned works.
—
Q: Am I right in thinking that if I enabled ‘Canvas Session Parameter’ then I would not need the call to /oauth/access_token since /oauth/authorize would return the access_token direct (instead of an intermediate code).
A: yes, you are right, depends … goto line 1 :}
Great stuff, thanks very much.
I opted for enabling the ‘Canvas Session Parameter’ option which has made things much simpler and I’ve been able to completely remove the call to /oauth/access_token which was a nasty security hole.
Many thanks
Toby
Thanks for the
&type=user_agent
Parameter. Unfortunately I get a 400 Bad request error when I make a call to file_get_contents(https://graph.facebook.com/me?access_token=2799945…) in php. Any ideas on a solution?
hi Shaw, is there any description attached with the response?
Cant load binnary data from Graph API in flash
because of crossdomain policy restrictions
binnary data – its redirect to static server without permisions in crossdomain.xml
for example https://graph.facebook.com/me/picture?access_token=…
redirecting to http://static.ak.fbcdn.net/rsrc.php/z5HB7/hash/ecyu2wwn.gif
and flash cant load it – Error #2048: Security sandbox violation
@Flop you are right, please read
http://blog.yoz.sk/2010/05/facebook-graph-api-and-oauth-2-and-flash/#comment-2454
you may use Loader insted of URLLoader, if you do not need to access the returned bitmapdata (just displaying image)
What is a “client_id” and where I can get/read it?
@Alex client_id is your facebook application ID http://developers.facebook.com/docs/api
Hi Jozef,
I am writing to ask how to do to close the session that is triggered when a user connects to Facebook
from my application.
Hi MauroX,
what exactly do you need? to remove stored access_token in SharedObject?
savedSession.data.token = null;
savedSession.flush();
or actual access_token?
_token = null;
_authorized = false;
http://apps.facebook.com/blogoauthgraph/
?access_token=123456…
&expires_in=86729
For the authorization response above, I am getting a ‘#’ instead of ‘?’. Any solution for this?
Thanks,
Mamatha.
Hi Martha yes it pushes # instead of ? so you have to parse it via javascript
window.location.hash
Jozef,
Thanks a lot.
Martha.
hi, i’m a newbie. i followed the code and included the quickfix &type=user_agent. also, enabled the canvas session parameter and it keeps redirecting back and forth? can i ask what am i missing?
hi annie, this may help you
http://blog.yoz.sk/2010/06/authorizing-iframe-facebook-applications-for-graph-api/#comment-4478