Friday, May 20, 2011

Facebook Authorization from C# -- OAuth2

This past week facebook announced plans to turn off the OAuth 1.0 authorized users starting in September. This means we need to bring the RightNow CX product up to their new OAuth 2.0 authorization flow. Based on the information provided to me I assumed this would be a pretty straight forward move and there shouldn't be many problems.  I was only partially right.

Things that needed to be done:

  1. Find a way to upgrade the users who have already authorized RightNow using OAuth 1.0
  2. Move our application authorization to the new OAuth 2 flow.
  3. Move our back end implementation to using the single access_token (and possibly some new apis)
Upgrading the tokens turned out to be super easy.  Facebook provides a great little upgrade path using curl

Upgrading the authorization flow seems easy enough.  According to their documentation, I simply direct the application at a website and detect the redirects.  Once it's all done, I have the token and they're "logged in".  Of course I don't want to leave them logged in, so I want to log them out and save the token for future use.  Facebook has always been notoriously bad at giving developers a good way to do this, so in our previous implementation I devised a reasonably clever method that takes advantage of HTTP's stateless nature. I simply grabbed the document object of the browser and cleared all the cookies for facebook.com. This meant that the browser literally could not remember who was logged in, so no matter how Facebook changed their pages it should still work.  Come to find out, in the new authorization flow, this method does not work.  At first I couldn't figure out what the problem was.  It appeared to be logging the user out, but I could not log back in. It turns out there is a different type of cookie I had never heard of, called the http-only cookie.

"The HttpOnly cookie is supported by most modern browsers.  On a supported browser, a HttpOnly cookie will only be used when transmitting HTTP (or HTTPS) requests. In addition, the cookie value is not available to client side script (such as Javascript), thereby mitigating the threat of cookie theft via Cross-Site-Scripting." via Wikipedia.

So, though I was clearing the session of all cookies I could see, I could not clear the HttpOnly cookies.  So when the user went to log back in, it didn't look like there was anyone logged in, but the login was broken for the next user.  I began to search around for some answers and decided it would be good to see how the C# SDK did it.  I dug in just a bit only to find out that they are just directing the user to the logout page for mobile facebook, which logs the user out.  There are some other suggestions here, but none of them will work for C# since the login was not done with Javascript.  I'm personally appalled and scared of using this solution, but alas, it seems to be the only one available.

Moving our back end implementation was easy enough.  I simply upgraded our php-sdk to the newest version and began using the api function to make the same calls we were using before.  Since we have the access token I can skip the use of the session validation and start making api calls right from the get go.

All in all the conversion is going well, but I don't know how Facebook has managed to go this long without creating a proper way to programmatically "log out". It makes me sad to be using such an obscure (and seemingly fragile) way to log a user out of facebook.  If you know of a better way, I'd be open to suggestions.

--Colt




13 comments:

karthireva said...

Excellent article,it was helpful to us to learn more and useful to teach others.This like valuable information is very interesting to read,thanks for sharing this impressive informative.



DotNet Training in Chennai

Nandhini Devi said...

Given so much info in it, The list of your blogs are very helpful for those who want to learn more interesting facts. Keeps the users interest in the website, and keep on sharing more.

Hadoop training institutes in chennai | Big data Hadoop Certification in chennai | Hadoop Training in Velachery Hadoop Training in OMR | Hadoop Training with Placements

pavithra dass said...

I wanted to thank you for this great blog! I really enjoying every little bit of it and I have you bookmarked to check out new stuff you post.
Cloud computing Training in Chennai
Hadoop Training in Chennai
Cloud computing courses in Chennai
Cloud Training in Chennai
Big Data Training near me
Big Data Course in Chennai

Racing Games Top Free Games said...

This is the best blog for gaming people. Your all posts are very informative . thanks for sharing these information. Best of luck From Team Rally Racer

Anonymous said...

Nice blog..! I really loved reading through this article. Thanks for sharing such a amazing post with us and keep blogging... best angularjs training institute in chennai | angularjs training in omr | angular 4 training in chennai | angularjs training in chennai

IT Tutorials said...


Get the most advanced Python Course by Professional expert. Just attend a FREE Demo session.
For further details call us @ 9884412301 | 9600112302
Python training in chennai | Python training in velachery

pat said...

vidmate apk

Rohit kumar said...

vidmate best app for downloading video
download movies on android for free
vidmate apk download
vidmate app download install
app store 9apps

Rohit kumar said...

free apps store 9apps
movies download app
watching movies is best time pass
watching movies is best time pass
download leaks bollywood movies
telugu new movies download 2019 vidmate
hindi movies download
full hd 1080 p hindi video songs free
latest video song downloader
vidmate for pc

jasmin said...

video downloader app
leaked movie download
vidmate apk online
bollywood movies download vidmate
download 9apps

SOPHIE lily said...

all movies app download
free movie download app
downloader apk download
free movie apps
ree movie download app
/best free movie download

leaked movies from vidmate
download vidmate apk

lajwantidevi said...

vidmate



Pubg Codes said...

a very good info of Pubg Codes for all thanks