Facebook Releases OAuth 2.0-Ready JavaScript SDK, Extends Migration Deadline to October 1st

Today, Facebook announced the release of the new OAuth2.0-ready version of its JavaScript SDK. This will allow developers to create applications that securely pass User IDs and access tokens. Facebook has pushed back the deadline by which all developers must use the OAuth 2.0 standard from September 1st to October 1st. Facebook has also made some changes to the Developer app to support the migration.

The new JavaScript SDK should become available on Github tomorrow, at which point Facebook will update its reference documentation. Facebook is currently rolling out support for JavaScript OAuth 2.0 across its servers, and those that try upgrading before the roll out finishes may encounter errors.

Facebook experienced some security issues and public scrutiny when it was discovered that some iframe applications were leaking access tokens to unauthorized parties including advertisers. These access tokens could be used to perform actions or extract data from a user’s account without their consent.

While the actual risk to users was low, Facebook accelerated its roadmap for implementing the OAuth 2.0 standard in order to prevent this type of data leak. Facebook planned to have new versions of both the PHP and JavaScript SDKs available by July 1st, with completion of the migration to the security standard planned for July 1st. The PHP SDK was released early, but technical issues delayed the JS SDK’s release until today, prompting the deadline extension.

OAuth 2.0 support is opt-in to prevent breakage to apps before developers complete the transition. To enable it, Facebook explains that developers can include the an oauth parameter to FB.init and set it to true as in this example:

   appId : YOUR_APP_ID,
   // other parameters,
   oauth : true

Setting the parameter to false or omitting it will keep OAuth 2.0 disabled. For more details on how development differs between the old and new JavaScript SDK, see the release announcement blog post.

Facebook has made some modifications to the Developer app. The “OAuth 2.0 for Canvas setting” has been renamed “signed_request for Canvas” to clarify that when enabled, developers will received a signed_request parameter. An OAuth Migration setting has been added that when enabled indicates the developer has completed the migration to access tokens. Both setting default to disabled.

The Facebook Developer Roadmap now shows that by October 1st, all apps must use OAuth 2.0, expect encrypted access tokens, process signed_request, and have obtained an SSL certificate to allow HTTPS browsing. Once the JavaScript SDK is available, all developers should prepare for this deadline so they have plenty of time to work out bugs.