Facebook continues to improve their API and move towards a modern platform, and in the process not supporting for OAuth 1.x and unsecure HTTP.
Signed Request is another new improvement. Now, Facebook use signed_request, and drop fb_sig. Read this what what signed request do for you.
I am going to explain in short what Signed Request do.
When a user use your Facebook app, Facebook will make a http post to your canvas URL. In this http post (a call back notification), Facebook will provide you with information such as the user's country and oauth_token.
In order to secure this payload information, Signed Request is used. Using your app's secret, which ONLY you and Facebook know, the payload is hashed with the secret to produce a signature.
sign_request = signature.payload
When you receive the sign_request, you can hash the payload with your app's secret, and then compare to the signature. If it doesn't match, that means someone is modifying the content (eg. man-in-the-middle attack).
No comments:
Post a Comment