Things that needed to be done:
- Find a way to upgrade the users who have already authorized RightNow using OAuth 1.0
- Move our application authorization to the new OAuth 2 flow.
- Move our back end implementation to using the single access_token (and possibly some new apis)
Upgrading the tokens turned out to be super easy. Facebook provides a great little upgrade path using curl.
Upgrading the authorization flow seems easy enough. According to their documentation, I simply direct the application at a website and detect the redirects. Once it's all done, I have the token and they're "logged in". Of course I don't want to leave them logged in, so I want to log them out and save the token for future use. Facebook has always been notoriously bad at giving developers a good way to do this, so in our previous implementation I devised a reasonably clever method that takes advantage of HTTP's stateless nature. I simply grabbed the document object of the browser and cleared all the cookies for facebook.com. This meant that the browser literally could not remember who was logged in, so no matter how Facebook changed their pages it should still work. Come to find out, in the new authorization flow, this method does not work. At first I couldn't figure out what the problem was. It appeared to be logging the user out, but I could not log back in. It turns out there is a different type of cookie I had never heard of, called the http-only cookie.
Moving our back end implementation was easy enough. I simply upgraded our php-sdk to the newest version and began using the api function to make the same calls we were using before. Since we have the access token I can skip the use of the session validation and start making api calls right from the get go.
All in all the conversion is going well, but I don't know how Facebook has managed to go this long without creating a proper way to programmatically "log out". It makes me sad to be using such an obscure (and seemingly fragile) way to log a user out of facebook. If you know of a better way, I'd be open to suggestions.