test.ical.ly | getting the web by the balls

Apr/11

11

Beware! Pure server side authentication/authorization for Facebook canvas apps simply does not work

5 Comments · Posted by Christian in Good to know

If you want to develop a Facebook application that runs within the Facebook frame you want to write a canvas app. The first thing you will want to do is to allow your user to authenticate and authorize your app.

There are two documented ways to do that: client side using Javascript and server side with whatever language you choose.

Only that a pure server side solution simply doesn’t work..

I should probably point out that what I describe is true at the moment of writing but can change quickly. Over the past two months the most important thing I learned about Facebook is that it changes frequently.

Move fast. Break things.

That’s the Facebook motto and they mean it.

However currently server side authentication is broken. Not really technically broken but conceptually.

Technically everything works as expected. But when the user is new to your application and you want to redirect him to the authentication dialog the user will be presented with the following image.

Clicking on the image will then forward the user to the authentication / authorization process. With this extra step you will definitely loose some potential users, especially as the image and the text don’t make it clear what happens next.

If the user then decides to click on the image he will be presented with the authorization dialog in which he can allow or deny the permissions your application requested.

When the user authorizes your app the next conceptual error takes place. Instead of redirecting to your application on the Facebook domain your user will be redirected to the application on your domain without the Facebook frame around it. Even if the user now already authorized your app the user experience will suffer deeply.

If you search the internet for this problem you can find loads of other people who have the same problem and even on the recent Facebook Hack Berlin this was already known as a common problem that people raise.

The answer of Simon Cross was to use Javascript. He is right of course and this will work but then the process is no longer a server side one.

Keep fingers crossed that Facebook will eventually tackle this.

·



  • dmp

    follow the examples in the auth guide. they work fine in canvas apps.  the issue in the post is because you are not redirecting the right frame to the oauth dialog or the redirect.

  • http://test.ical.ly Christian

    redirecting the right frame (top) however can only be done clint side via Javascript.

  • http://www.takwing.idv.hk/tech/fb_dev/index.php Tak Wing

    what’s wrong with doing the redirect at the client side?

  • http://test.ical.ly Christian

    Well if you try to integrate Facebook permissions with a server side security framework like i.e. Java Spring you want to trigger the dialog from the server side directly without first sending an HTML page that includes some Javascript.

  • Pingback: • Build a Symfony2 Facebook Canvas App with Progressive Permissions Management using CaeferFacebookCanvasAppBundle | test.ical.ly

<<

>>

Find it!

Theme Design by devolux.nh2.me
To top