application authorization and OAuth 2.0-based data signing scheme

    When writing most applications on the Facebook platform, the developer needs to access the user's data: a list of friends, news feeds, links, likes, etc. Of course, such information needs to be transmitted, making sure that it gets to the right recipient from a specific sender. For this, FB proposes to use the OAuth 2.0- based signature scheme they developed .

    FB passes data about the current user (or current profile) in the signed_request parameter , namely:
    • algorithm - HMAC-SHA256;
    • user_id - go to the current user;
    • oauth_token - an encrypted string that can be used later to access the Graph API , Old Rest API or FQL ;
    • expires - when oauth_token expires;
    • profile_id - appears on the profile tab.

    $ _REQUEST ['signed_request'] is the concatenation of the HMAC SHA-256 signature, period (.) And JSON of an object packed in base64url. It looks something like this (all together):


    In order for FB to send signed_request to our application, you need to specify this in the settings (because at the moment it is a beta feature):

    After the user allows the application to access his data, we will receive signed_request in each request to our Canvas URL (where FB gets the application content from). There are several ways to invoke such a dialog:

    1. Redirect.

    Redirect the user to:
    client_id = our Application ID
    & redirect_uri = where to go after permission is granted
    & scope = what rights to request

    A list of possible rights can be found here . If the user allows access, the necessary signed_request will come to us on redirect_uri.

    2. FBJS method Facebook.showPermissionDialog .

    For example (when developing an FBML application):

    Facebook.showPermissionDialog ('publish_stream, read_stream', callback);

    In this case, we will see a standard FB dialog with requesting rights. If access is allowed, callback ('publish_stream, read_stream') is called; otherwise, callback (null);

    3. Ajax .

    There is an Ajax object in FBJS, and it requires the requireLogin property . If the request sets it to true - ajax request will be successful only after the user has allowed access to his data. For instance:

    var ajax = new Ajax ();
    ajax.responseType = Ajax.FBML;
    ajax.ondone = function (data) {
    	console.log (data);
    ajax.requireLogin = true; ("");

    Here, as in the previous method, the FB dialog is called. FBJS largely limits the developer, in particular, after parsing our FBML, the appAPPLICATIOPN_ID_ line is added to all variables and functions, i.e. var ajax turns into var app1234567890_ajax, alert turns into app1234567890_alert. Well there is console, in fact the main debugger. In the future, FB plans to abandon FBML applications in favor of iframes and the Javascript SDK, which will greatly simplify the development of applications on tabs.

    4. Javascript SDK

    After initializing the application, you need to call the FB.login method:
    FB.login (function (response) {
      if (response.session) {
        // user successfully logged in
      } else {
        // user canceled login

    The dialog will appear in the browser popup.

    In all cases, something like this appears:

    Having received signed_request, you need to parse it. FB offers the following (functions are included in the PHP SDK ):

    function parse_signed_request ($ signed_request, $ secret) {// $ secret - Application Secret
      list ($ encoded_sig, $ payload) = explode ('.', $ signed_request, 2); 
      // decode the data
      $ sig = base64_url_decode ($ encoded_sig);
      $ data = json_decode (base64_url_decode ($ payload), true);
      if (strtoupper ($ data ['algorithm'])! == 'HMAC-SHA256') {
        error_log ('Unknown algorithm. Expected HMAC-SHA256');
        return null;
      // check sig
      $ expected_sig = hash_hmac ('sha256', $ payload, $ secret, $ raw = true);
      if ($ sig! == $ expected_sig) {
        error_log ('Bad Signed JSON signature!');
        return null;
      return $ data;
    function base64_url_decode ($ input) {
      // $ input - base64url
      return base64_decode (strtr ($ input, '-_', '+ /'));

    The parse_signed_request function will return an associative array, one of the keys of which will be oauth_token . Next, you can use the token to access the Graph API, Old Rest API or FQL. For instance:

    Friends: https: // Access_token = ...
    News feeds: https: // Access_token = ...
    Wall: https: // Access_token = ...

    When developing an FBML application on a tab, there is one feature: after user permission is granted, you can only get signed_request with user_id from an ajax request. Otherwise, user_id will be equal to profile_id (both are the IDs of the current profile (page)), and oauth_token will be “attached” to the page, and not to the user profile.

    Good luck

    Also popular now: