Updating your Python Facebook Application for the October 1st OAuth 2.0 Migration 9 years ago by Martey Dodoo

Earlier this year, Facebook announced plans to have its application developers transition to OAuth 2.0. It spent the last few months updating its PHP and JavaScript SDKs.

Unfortunately, their Python SDK was not so lucky. In July, they quietly announced that the Python SDK would be unsupported by Facebook in the future.1 If you are using the formerly-official Python SDK for Facebook, you need to figure out how to update your applications on your own.

If you built your own OAuth authentication workflow, you can easily modify it using Facebook's authentication documentation (see the "Client-side Flow" section). However, many Python developers constructed their application to work with the JavaScript SDK (because that's what Facebook suggested). Since the OAuth 2.0-compatible JavaScript SDK's source will not be available until December2, it is not clear what in the Python SDK needs to be updated.

Since I have a number of web applications that need to be updated, I decided to take a crack at this last week. I quickly deduced that the JavaScript SDK used a different, encrypted cookie format. This meant that the get_user_from_cookie function in the Python SDK would need to be updated.

Previously, the JavaScript SDK created a cookie with a prefix of fbs_ . The Facebook user ID and access_token were stored in a plain-text dict. With OAuth 2.0, Facebook is now using a cookie prefix of fbsr_ and encrypting its cookie data. Using the source of the PHP SDK and relying on my experience authenticating with application-specific tokens, I wrote code to decrypt the information in the cookie, send it to Facebook's OAuth endpoint, and return the access_token in the same format (plain-text dict) as the previous Python SDK, so that I was not forced to rewrite the rest of my application.