Facebook OAuth 2.0 and HTTPS Requirements

September 08, 2011 - by badnima

Back in May, Facebook announced their plan to improve overall site security by transitioning authentication to OAuth 2.0 and moving to HTTPS for secure browsing. All externally served sites and apps on Facebook must migrate to OAuth 2.0, process the signed_request parameter, and obtain an SSL certificate by October 1. The migration to OAuth 2.0 will also end support for fb_sig, so be sure to read up on the Signed Request Reference Guide.

For Joyent customers serving apps and games on Facebook, there may be several steps you need to take in addition to the authentication changes outlined above:

  • All apps have to be served via HTTPS. Facebook apps can’t have segregated HTTP and HTTPS, so all apps may have to switch to encrypted protocols. Depending on whether you are running your Facebook application on one server, or a distributed architecture, the steps you need to take may be different.
  • Generally, single server apps with moderate traffic loads won’t require any infrastructure changes. The extra processing load for SSL will be taken care of by the automatic CPU bursting offered on the Joyent Cloud.
  • Applications with high I/O should consider increasing the SmartMachine size for a larger CPU allocation, or adding a Zeus Load Balancer and off-load SSL encryption/decryption.
  • Customers who are already using our Zeus ZXTM traffic controller solution can handle the implementation of SSL across their all of their web servers from one centralized console and SSL management source. This mitigates the need to add compute nodes or capacity. The documentation on the Zeus website is fairly easy to follow.
  • If you don’t have an SSL certificate, there are many vendors that sell secure certificates and have instructions on how to enable SSL on your app/website. There are no IP space changes involved – you just have to ensure that the SSL certificates match your domain names. Also traffic will flow to port 443 rather than port 80 and SSL certificates add an extra encryption/decryption process to all I/O.
  • If you have media assets or objects stored separately on edge services like a CDN (Content Distribution Network), you may have to use a CDN SSL service so you don’t serve mixed SSL/non-SSL pages. Contact your CDN administrator for more information and to discuss the requirement and pricing.
  • To simplify cross-browser compatibility, consider ending support for browsers with older security protocols, such as anything older than IE 7.x, Firefox 5.x and Safari 3.x

If you’re still unclear how to do prepare for the upcoming Facebook changes or need a little help, just file a request with support@joyent.com.