Search code examples
jsonfacebookoauthcgifacebook-oauth

Facebook login broken, oauth response serialization changed from CGI parameters to JSON

Today the Facebook oauth login to my website broke. I fired up the debugger and found that parsing the access token was failing. This appears to be because Facebook changed the format of the oauth response. It used to be CGI parameters:

access_token=EAAFO...cBUZD&token_type=bearer&expires_in=5183996

But all of a sudden it appears to be coming over as JSON:

{"access_token":"EAAFO...cBUZD","token_type":"bearer","expires_in":5183996}

The fix in my code looks pretty simple. I just need to change the parser from a CGI parser to a JSON parser and get the same variable that I'm interested in: access_token.

My question is about versioning of this. I don't like it when my site breaks.

Why did Facebook change this? Is this change documented? Is there some sort of versioning on Oauth that I should be using to prevent breakages like this? How do I get notified of future changes to Oauth by Facebook?

The Facebook API upgrade tool does not list any changes that I need to my app for the latest version of the API. In any case, none of the URLs that I'm using for Oauth appear to have a version number embedded in them:

  • https://www.facebook.com/dialog/oauth
  • https://graph.facebook.com/oauth/access_token
Solution

  • As WizKid states, it was announced in Facebook Developers Changelog two years ago under the title "[Oauth Access Token] Format". Facebook does have a tool to try to find things that will break, because of API changes, but it didn't alert this one.

    You can put API version numbers into Oauth URLs for Facebook. With version numbers, the flow for Facebook login is:

    1. Redirect the user to https://www.facebook.com/v2.9/dialog/oauth with a bunch of required parameters such as your client id, the list of permissions you are requesting, and a return URL.
    2. Facebook lets the user log in, asks them to accept the permissions you requested, and then redirects them back to your site with a "code" parameter
    3. Server-side you contact https://graph.facebook.com/v2.9/oauth/access_token with that code (and some other stuff) as parameters. Facebook responds with a token
    4. Server-side you contact https:///graph.facebook.com/v2.9/me with that token to request information about the user

    This is the process that is pretty much documented here: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow