As we announced in May, all apps must support OAuth 2.0 for authentication and HTTPS (Canvas and Page Tab apps only) by October 1st. Now that this date has passed, we are moving forward with a plan to remove all non-OAuth endpoints and limit the distribution of Canvas and Page Tab apps that have not provided a Secure URL.
Enabling signed_request and encrypted access token Platform Migrations
Starting today, we are auto-enabling two migrations in the Dev App: signed_request for Canvas and Encrypted Access Token.
With the Encrypted Access Token migration enabled, the format of the access token has changed. The new access token format is completely opaque and you should not take any dependency on the format in your code.
A varchar(255) field will be sufficient to store the new tokens. Edit on May 3rd, 2013: Token sizes will change over time, please don't put a size limit on the token. Use a variable-size character data type without a specific maximum size if you're storing the data in a database or as a variable-size string if you're storing them via some other method. The tokens are opaque, but they will change size over time - expect them to both grow and shrink as we make changes.
Encouraging apps to provide a Secure URL
For Canvas or Page Tab apps that do not have a Secure Canvas or Page Tab URL configured, we will begin to show users the following interstitial if they have secure browsing enabled:
Once the Secure Canvas or Page Tab URL field is filled appropriately, this interstitial will be removed. You can do this with the DevApp by specify the Secure Canvas URL and Secure Page Tab URL as below:
We may announce other steps in the near future that will limit the distribution of Apps on Facebook that do not support Secure Canvas or Page Tab URLs.
Removing non-OAuth endpoints
oauth:true param in
FB.init and using
FB.getAuthResponse to obtain the access token.
Please let us know if you have any questions in the comments below.