Back to News for Developers

Next steps towards a modern Platform: OAuth 2.0 and HTTPS

October 4, 2011ByJerry Cain

As we announced in May, all apps must support OAuth 2.0 for authentication and HTTPS (Canvas and Page Tab apps only) by October 1st. Now that this date has passed, we are moving forward with a plan to remove all non-OAuth endpoints and limit the distribution of Canvas and Page Tab apps that have not provided a Secure URL.

Enabling signed_request and encrypted access token Platform Migrations

Starting today, we are auto-enabling two migrations in the Dev App: signed_request for Canvas and Encrypted Access Token.

With the signed_request for Canvas migration enabled, fb_sig will no longer work. For a guide for how to use signed_request, see our Canvas App tutorial.

With the Encrypted Access Token migration enabled, the format of the access token has changed. The new access token format is completely opaque and you should not take any dependency on the format in your code. A varchar(255) field will be sufficient to store the new tokens.Edit on May 3rd, 2013: Token sizes will change over time, please don't put a size limit on the token. Use a variable-size character data type without a specific maximum size if you're storing the data in a database or as a variable-size string if you're storing them via some other method. The tokens are opaque, but they will change size over time - expect them to both grow and shrink as we make changes.

Encouraging apps to provide a Secure URL

For Canvas or Page Tab apps that do not have a Secure Canvas or Page Tab URL configured, we will begin to show users the following interstitial if they have secure browsing enabled:

Once the Secure Canvas or Page Tab URL field is filled appropriately, this interstitial will be removed. You can do this with the DevApp by specify the Secure Canvas URL and Secure Page Tab URL as below:

We may announce other steps in the near future that will limit the distribution of Apps on Facebook that do not support Secure Canvas or Page Tab URLs.

Removing non-OAuth endpoints

On October 11th, apps using the old JavaScript Library (FeatureLoader.js) or the old iPhone SDK (facebook-iphone-sdk) for authentication will no longer be able to authenticate users until these apps switch to OAuth 2.0.

We are currently evaluating when we are going to remove the endpoints supporting the old PHP SDK (versions prior to v.3.1.1) as well as non-OAuth authentication in the current JavaScript SDK.

If are using an old version of the PHP SDK, please go to github to download version 3.1.1. If you are using the JavaScript SDK, please opt-in to using OAuth 2.0. Enable this by specifying the oauth:true param in FB.init and using FB.getAuthResponse to obtain the access token.

Please let us know if you have any questions in the comments below.