Facebook Pushes Developers To OAuth 2.0 And HTTPS

By Nick O'Neill Comment

Facebook Platform IconThis afternoon Facebook announced changes to their developer roadmap, which will force both canvas apps and websites to migrate to OAuth 2.0 and obtain SSL certificates.

The second part of the announcement is more significant as obtaining SSL certificates can often cost upwards of $1,000 for a single year’s license. While SSL has become a basic expense for many developers, others have avoided purchasing SSL certificates in an effort to keep costs low. For the most part, the shift won’t be a significant technical hurdle, however requiring HTTPS is significant.

So far, Facebook has converted 9.6 million users out of close to 700 million to the secure version of their site. For the more technically inclined, HTTPS is often avoided as it can increase latency, although there are various ways to minimize the impact. The new developer roadmap includes the following dates:

  • July 1st – Facebook will release a new PHP and JavaScript SDK which supports OAuth 2.0 and has the new cookie format.
  • September 1st – By now all applications must have migrated to OAuth 2.0 and accept an encrypted auth token (details for which can be found here).
  • October 1st – All canvas applications must accept the new signed_request parameter and have obtained an SSL certificate. What’s not clear is whether or not external sites will be required to have certificates by then.

In the short-term it doesn’t mean much, but by the end of the year developers will be forced to cough up for an SSL certificate on their site and convert to the new authentication model (which costs time if nothing else).