Oauth in canvas app - code vs. signed_request
59 views
Skip to first unread message
mspork
Oct 26, 2010, 9:07:50 PM10/26/10
to facebooker
Hi all,
I'm using the oauth 2.0 authentication within a canvas app. I just
noticed that I seem to be doing this in a non-standard way (or at
least - it does not appear document by facebook) - albeit that it
works.
Just wonder if others are doing this as well - and if there are any
adverse consequences of doing it this way?
I have a callback url like:
/oauth_redirect
After facebook authenticates the user, and the browser redirects to
this callback url, I have a code value in params[:code].
As per the oauth spec for web server flow - and facebook's own oauth
documentation for "Authenticating Users in a Web Application" [1], I
am then meant to exchange this code for an access token by calling:
https://graph.facebook.com/oauth/access_token?
client_id=...&
redirect_uri=http://www.example.com/oauth_redirect&
client_secret=...&
code=...
However, as this is a canvas app, you will also find at this point a
signed_request value exists in the params. You can just extract the
token from this signed request without the additional roundtrip to the
server as described above.
Does anyone else do it this way? Pros/ cons?
thx
Murray
[1] http://developers.facebook.com/docs/authentication/
I'm using the oauth 2.0 authentication within a canvas app. I just
noticed that I seem to be doing this in a non-standard way (or at
least - it does not appear document by facebook) - albeit that it
works.
Just wonder if others are doing this as well - and if there are any
adverse consequences of doing it this way?
I have a callback url like:
/oauth_redirect
After facebook authenticates the user, and the browser redirects to
this callback url, I have a code value in params[:code].
As per the oauth spec for web server flow - and facebook's own oauth
documentation for "Authenticating Users in a Web Application" [1], I
am then meant to exchange this code for an access token by calling:
https://graph.facebook.com/oauth/access_token?
client_id=...&
redirect_uri=http://www.example.com/oauth_redirect&
client_secret=...&
code=...
However, as this is a canvas app, you will also find at this point a
signed_request value exists in the params. You can just extract the
token from this signed request without the additional roundtrip to the
server as described above.
Does anyone else do it this way? Pros/ cons?
thx
Murray
[1] http://developers.facebook.com/docs/authentication/
klochner
Sep 28, 2011, 2:55:15 PM9/28/11
to faceb...@googlegroups.com
bump - it looks like we're supposed to use the signed_request for canvas apps starting next week.
@Mike - does the latest mogli gem support this? I'm not seeing anything in the code, a little worried that my canvas apps will go down.
http://developers.facebook.com/docs/authentication/signed_request/
All Canvas and Page tab apps (that are not using FBML) must convert to process signed_request (fb_sig will be removed) and obtain an SSL certificate for use in ‘Secure Canvas URL’ and ‘Secure Page tab URL’ (unless you are in Sandbox mode).
@Mike - does the latest mogli gem support this? I'm not seeing anything in the code, a little worried that my canvas apps will go down.
http://developers.facebook.com/docs/authentication/signed_request/
Mike Mangino
Sep 30, 2011, 8:56:49 AM9/30/11
to faceb...@googlegroups.com
I'm honestly not sure. Here's my dirty secret. I don't do any Facebook canvas apps anymore. I've just been hurt too many times by them.
Facebooker2 supports signed request so I think this should work.
Mike
--
You received this message because you are subscribed to the Google Groups "facebooker" group.
To view this discussion on the web visit https://groups.google.com/d/msg/facebooker/-/9AAVNujoCVkJ.
To post to this group, send email to faceb...@googlegroups.com.
To unsubscribe from this group, send email to facebooker+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/facebooker?hl=en.
--
Mike Mangino
http://www.elevatedrails.com
Mike Mangino
http://www.elevatedrails.com
klochner
Sep 30, 2011, 11:50:20 AM9/30/11
to faceb...@googlegroups.com
Thanks Mike. I *think* you're right - I updated my app settings to use the new protocol and nothing is broken, but I'll find out for sure tomorrow.
Reply all
Reply to author
Forward
0 new messages