Tuesday, October 4, 2011

What is (Facebook) Signed Request?

Facebook continues to improve their API and move towards a modern platform, and in the process not supporting for OAuth 1.x and unsecure HTTP.

Signed Request is another new improvement. Now, Facebook use signed_request, and drop fb_sig. Read this what what signed request do for you.

I am going to explain in short what Signed Request do.

When a user use your Facebook app, Facebook will make a http post to your canvas URL. In this http post (a call back notification), Facebook will provide you with information such as the user's country and oauth_token.

In order to secure this payload information, Signed Request is used. Using your app's secret, which ONLY you and Facebook know, the payload is hashed with the secret to produce a signature.

sign_request = signature.payload

When you receive the sign_request, you can hash the payload with your app's secret, and then compare to  the signature. If it doesn't match, that means someone is modifying the content (eg. man-in-the-middle attack).

No comments:

Post a Comment