I have been reading the developer blog on Facebook this morning and stumbled across this article saying that all Canvas pages are to use OAuth and SSL.
• an SSL Certificate is required for all Canvas and Page Tab apps (not
in Sandbox mode)
• old, previous versions of our SDKs will stop working, including the
old JavaScript SDK, old iOS SDK
Does this really mean that any application that has been created before this date will stop working? Am I really going to have to buy an SSL certificate for each application?
Yes looks like it. They told developers on 11th May 2011 :
Today, we are announcing an update to our Developer Roadmap that
outlines a plan requiring all sites and apps to migrate to OAuth 2.0,
process the signed_request parameter, and obtain an SSL certificate by
October 1.
Migration to OAuth 2.0 + HTTPS timeline:
July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0
and have new cookie format (without access token). September 1: All
apps must migrate to OAuth 2.0 and expect an encrypted access token.
October 1: All Canvas apps must process signed_request (fb_sig will be
removed) and obtain an SSL certificate (unless you are in Sandbox
mode). This will ensure that users browsing Facebook over HTTPS will
have a great experience over a secure connection. We believe these
changes create better and more secure experiences for users of your
app. A migration plan below outlines the potential impact on your
apps.
From here:
Please Note: An SSL certificate is not required for user
authentication on your site, Likes, Comments or other things. It's
only used if you want to show your site (or parts of it) inside the
Facebook.com domain.
Once your SSL certificate is installed on your site, you'll simply
need to enter your new secure URL into the "Secure Canvas URL" and
"Secure Tab URL". To obtain and install an SSL Certificate, we've
partnered with The SSL Store in order to make the process as smooth as
possible. SSL Certificates that work with Facebook can be purchased
for as little as $11/year (multi-year) or $18 for just one year.
Purchasing a certificate through The SSL Store takes about 10 minutes
and they have a 30-day money back guarantee.
Below are instructions on how to purchase a new SSL certificate for
your site so that you can use the Facebook Page features without any
issue.
It does seem that you need to have one, and not one per app.
Related
I am using facebook SDK. I am getting the following error:
Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://
After studying I came to know that I have to set 'Enforce HTTPS' as NO under 'facebook login> Setting> '. But I can not set Enforce HTTPS as NO. Is this problem is from mine? OR I facebook restrict to use https instead of http?
enable Client OAuth Login and write "localhost:3000" in Valid OAuth Redirect URIs.
Save changes. it will automatically change to https://localhost:3000 , but it doesn't matter...
And set Status: In Development (THIS IS IMPORTANT!)
Then it will work in your http localhost.
But I can not set Enforce HTTPS as NO. Is this problem is from mine?
https://developers.facebook.com/docs/facebook-login/security:
Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019.
Sounds to me, like they don’t want you to be able to even start without HTTPS, when you are creating a new app now.
Plus, Chrome has recently announced that they will mark all HTTP sites as insecure soon, from version 68 on, that will be released in July 2018. So you’re gonna have to go HTTPS rather sooner than later anyway.
The “big players” of the industry are currently pushing for this big time, whether we want it or not.
If you just enable Client OAuth Login and write just localhost:{port} to Valid OAuth Redirect URIs, it will work.
If you're developing locally with create-react-app, a quick solution is to add
HTTPS=true
to your .env file and just comment it out when you're not testing Facebook login.
It seems like Business apps do not have app modes and instead rely exclusively on access levels. Because of this, you can't set the app to the "Development mode".
All newly created apps start out in Development mode and you should avoid changing it until you have completed all development and testing.
https://developers.facebook.com/docs/development/build-and-test/
https://developers.facebook.com/docs/development/build-and-test/app-modes
However, if you wanna try out your app in a localhost, you need to create a test app, like you can check out in this thread:
How to fix 'Facebook has detected MyApp isn't using a secure connection to transfer information.' error in Laravel
I am using facebook SDK. I am getting the following error:
Insecure Login Blocked: You can't get an access token or log in to this app from an insecure page. Try re-loading the page as https://
After studying I came to know that I have to set 'Enforce HTTPS' as NO under 'facebook login> Setting> '. But I can not set Enforce HTTPS as NO. Is this problem is from mine? OR I facebook restrict to use https instead of http?
enable Client OAuth Login and write "localhost:3000" in Valid OAuth Redirect URIs.
Save changes. it will automatically change to https://localhost:3000 , but it doesn't matter...
And set Status: In Development (THIS IS IMPORTANT!)
Then it will work in your http localhost.
But I can not set Enforce HTTPS as NO. Is this problem is from mine?
https://developers.facebook.com/docs/facebook-login/security:
Enforce HTTPS. This setting requires HTTPS for OAuth Redirects and pages getting access tokens with the JavaScript SDK. All new apps created as of March 2018 have this setting on by default and you should plan to migrate any existing apps to use only HTTPS URLs by March 2019.
Sounds to me, like they don’t want you to be able to even start without HTTPS, when you are creating a new app now.
Plus, Chrome has recently announced that they will mark all HTTP sites as insecure soon, from version 68 on, that will be released in July 2018. So you’re gonna have to go HTTPS rather sooner than later anyway.
The “big players” of the industry are currently pushing for this big time, whether we want it or not.
If you just enable Client OAuth Login and write just localhost:{port} to Valid OAuth Redirect URIs, it will work.
If you're developing locally with create-react-app, a quick solution is to add
HTTPS=true
to your .env file and just comment it out when you're not testing Facebook login.
It seems like Business apps do not have app modes and instead rely exclusively on access levels. Because of this, you can't set the app to the "Development mode".
All newly created apps start out in Development mode and you should avoid changing it until you have completed all development and testing.
https://developers.facebook.com/docs/development/build-and-test/
https://developers.facebook.com/docs/development/build-and-test/app-modes
However, if you wanna try out your app in a localhost, you need to create a test app, like you can check out in this thread:
How to fix 'Facebook has detected MyApp isn't using a secure connection to transfer information.' error in Laravel
Hello I'm very new to the app side of things.
I need to know (as it state from the 1st of OCT) that you need a secure URL for page apps. Does that mean you must have SSL running https:// or you can just use http://?
Yes, I believe you have to get a SSL Certificate for your App Page.
From the Facebook Developer Blog - Keeping Users Safe:
As an app developer, you can help us by:
Acquiring an SSL Certificate. Contrary to some feedback we’ve heard,
acquiring an SSL certificate is relatively inexpensive, and the
ongoing cost of supporting SSL for most apps is low. The sooner your
app supports HTTPS the more secure our platform will become. All Apps
on Facebook (Canvas and Page Tabs) must support HTTPS by October 1.
Reviewing the Authentication guide and implement OAuth. This updated
authentication guide walks you through the OAuth 2.0 flow and how to
implement OAuth with CSRF protection. Our new OAuth flows provide a
more secure and reliable way to obtain access_tokens than our legacy
authentication flows. All apps must support the new OAuth flows by
September 1.
Here's their Authentication Guide (also linked in their blog post).
I am developing an application in my local machine.
I let users invite their Facebook friends with a Facebook request Dialogue.
The friends then click the link in their Facebook and are directed to the canvas page and then redirected out of Facebook to my local site.
Do I need to have an SSL certificate and if so how can I have one when I am developing locally so I can test my site?
From Facebook Oct.1 deadline blog post, SSL is not required for sandbox apps. So you can continue to develop apps without SSL certificate as long as you enable sandbox in your app.
In my case, temporary DISABLE secure browsing setting in 'Account Setting'.
http://gyazo.com/39e4dd5087636ebc3024d2285ab3e33a.png
Forward works great for developing facebook apps locally, supports SSL too.
https://forwardhq.com/in-use/facebook
You need a certificate before October 1st, otherwise your canvas landing page will be blocked by Facebook. If you develop locally and need a SSL cert just for test, see the following trick for IIS:
http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx
I was wondering what this information means exactly:
October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode).
Does anybody have more detailed information on what will happen on the 1st october and the tutorial about how we should switch to secure page tab URL? Will all the applications be unaccessible if we don't do this?
Thank you!
facebook will not allow to add a new app that doesn't have a secure tab url (https)
if facebook will remove all old apps that do not have a secure tab url is not known at the moment.
a tutorial is not needed, the only thing you have to do is to provide https to your apps,
in the apps settings.
there are a lot of free ssl certificate providers out there - or maybe your host provides ssl to your webspace.
http://tinyurl.com/3oqxutj