Handling invalidated access tokens
Last week, we reminded you how you should handle invalid access tokens. This is an important concept to understand as there are several legitimate reasons an access token can become invalid such as:
Even if you have the offline_access permission from the user, your token can still be invalidated. You should ensure you application is built to handle these scenarios.
New PHP SDK
Today we upgraded the PHP SDK to version 3.0.0. Be sure to read our blog post which explains the changes as well as when you should consider upgrading. Version 2 of the PHP SDK will no longer work come September 1st as we will be requiring all apps to use the new OAuth flows.
Client-side re-authentication flow
A couple weeks ago we introduced a server-side way for you to force a user to re-enter their password to confirm their identity (e.g. before making a purchase on a shared computer). We now have a way to perform re-authentication on the client side as well. To get started, check out the example below or see the documentation.
<html> <head></head> <body> <div id="fb-root"></div> <button id="fb-login" onclick="login()">Login</button> <script> var button = document.getElementById('fb-login'); // For help with AJAX, see http://www.w3schools.com/Ajax/Default.Asp function checkNonce(access_token) { var xmlhttp; if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari xmlhttp=new XMLHttpRequest(); } else {// code for IE6, IE5 xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { if (xmlhttp.responseText == 1) { console.log('The user has been successfully ' + 're-authenticated.'); } else { console.log('The nonce has been used before. ' + 'Re-authentication failed.'); } } } xmlhttp.open('POST','checkNonce.php',true); xmlhttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); xmlhttp.send('access_token=' + access_token); } function login(){ FB.login(function(response) { if (response) { console.log('Login success. Checking auth_nonce...'); checkNonce(response.session.access_token); } else { console.log('Login cancelled.') } }, { auth_type: 'reauthenticate', auth_nonce: 'abcd1234' }); } window.fbAsyncInit = function() { FB.init({appId: 'YOUR_APP_ID', status: true, cookie: true, xfbml: true}); FB.getLoginStatus(function(response) { if (response.session) { button.innerHTML = 'Re-Authenticate'; console.log('User is logged in.'); } else { console.log('User is not logged in.'); } }); }; (function() { var e = document.createElement('script'); e.async = true; e.src = document.location.protocol + '//connect.facebook.net/en_US/all.js'; document.getElementById('fb-root').appendChild(e); }()); </script> </body> </html>
checkNonce.php
<?php $access_token = $_REQUEST['access_token']; $graph_url = 'https://graph.facebook.com/oauth/access_token_info?' . 'client_id=YOUR_APP_ID&access_token=' . $access_token; $access_token_info = json_decode(file_get_contents($graph_url)); function nonceHasBeenUsed($auth_nonce) { // Here you would check your database to see if the nonce // has been used before. For the sake of this example, we'll // just assume the answer is "no". return false; } if (nonceHasBeenUsed($access_token_info->auth_nonce) != true) { echo '1'; } else { echo '0'; } ?>
Old Insights Dashboard
As previously announced, we will remove the old version of the Insights dashboard on Tuesday as all the metrics that were previously available are now available in the new Insights dashboard.
Improving Docs
Documentation activity for the past 7 days:
Fixing Bugs
Bugzilla activity for the past 7 days:
Forum Activity
Developer Forum activity for the past 7 days:
Yasser Shohoud, a Partner Engineer on the Developer Relations team, is looking forward to seeing how you use the re-authentication feature to create safe, seamless user authentication flows.