Official Facebook PHP SDK – not conforming to the latest platform standard?

The recent “authentication data” email that Facebook sent out should be related to the document Legacy Connect Auth.

We recently announced that all apps and sites must migrate to our OAuth 2.0 authentication mechanism by September 1, 2011. We released our OAuth implementation well over a year ago and many sites have already moved over. Nevertheless, there are a number of sites that still use the our legacy Connect authentication flow (login.php).

One of the issues with the legacy Connect flow is that it is possible for your site to accidentally pass authentication information to third parties. This can happen when including <iframe>, <img> or <script> content from third parties in the page that receives authentication data from Facebook. Our legacy mechanism passes authentication information in the URL query string which, if handled incorrectly, can be passed to third parties by the browser. The OAuth 2.0 authentication system passes this information in the URL fragment (or via a server-to-server call), which is not passed to third parties by the browser.

Allowing user ids and access tokens to be passed to third parties, even inadvertently, could allow these third parties to access the data the user made available to your site. This violates our policies and undermines user trust in your site and Facebook Platform.

That’s simple what the email had mentioned.

What draw my attention is that up to now, the PHP SDK has not yet migrated to use OAuth 2.0.  This is probably the reason why there are many sites still use the legacy Connect authentication flow. For the statement that “all apps and sites MUST migrate to OAuth 2.0 authentication mechanism by 1 Sep 2011”, I would suggest adding a conditional statement “or after xx month the PHP SDK is updated to use the OAuth implementation”.  Otherwise, it sounds like that Facebook is telling us NOT TO USE the official PHP SDK!

For other company or platform like Apple, Android, Microsoft, their SDKs are always updated to make use of the latest technology in their platform!  In fact, new SDKs are even released well-before the feature goes LIVE!

It is time to show “Facebook cares about Facebook Developer”. Isn’t it part of “Developer Love” ??

About takwing

A moderator of the Official Facebook Developer Forum.
This entry was posted in Authentication and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *