Facebook OAuth extension ruffles feathers, nixes user access permission

Facebook OAuth extension ruffles feathers, nixes user access permission

Summary: Facebook has drawn the attention from the IETF with a new proprietary extension it developed for an emerging authentication protocol. The extension alters the way user permissions are set for long-life access tokens.


Facebook has developed a non-standard extension to an emerging standard authentication protocol, raising the hackles of some and eliminating the need for end-users to explicitly approve specific ways applications act on their behalf.

Currently, Facebook applications using the site's Offline Access Permission (OAP), contained in the Facebook Graph API, are required to get explicit permission from an end-user to provide an access token that does not expire.

Now, Facebook is migrating developers off OAP and replacing it with a proprietary way to enable use of access tokens initially valid for 60 days but with the capability to be extended behind-the-scenes each time the user accesses the application.

In essence, end-users get similar offline functionality without having to specifically opt into an offline feature. The way access tokens expire is if users stop using the app, change their password or de-activate the application.

Offline access allows an application "to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time-period to ensure applications only make requests on behalf of the user when they are actively using the application," according to Facebook.

In order to pull off the behind-the-scenes maneuvers, Facebook has created a proprietary extension for Open Authorization (OAuth) 2.0, an authentication/authorization protocol that is near approval as an official Internet Engineering Task Force (IETF) standard.

That proprietary extension caught the eye of IETF OAuth working group member John Bradley, who also is helping develop a separate protocol based on OAuth called OpenID Connect.

"I don't know why Facebook felt compelled to invent a new way to do this," says Bradley. OAuth 2.0 provides a mechanism to use a "refresh" token to get other access tokens.  "Facebook is doing something non-standard."

Bradley says 6-8 months ago Facebook proposed to the OAuth working group a way for the protocol to pass a short-lived access token that in the background could be exchanged for an access token with different properties.

"It was accepted," said Bradley, adding that Google and OpenID Connect have since incorporated that OAuth 2.0 addition. "Facebook could have adopted the way OAuth handled the situation instead of inventing something new."

Facebook has not responded to email asking about the proprietary extension for OAuth, and the planned migration that will end May 1 when the changes become permanent.

The company has been supportive of OAuth development.

In May of last year, Facebook said that migrating to OAuth and HTTPs was in the best interest of its end-users and developers. "Having a single standard for authentication and apps served through HTTPs allows us to provide a simpler, more secure, and reliable platform."

In October, OAuth became the official authentication standard for the social site, and in December, Facebook made changes to its "auth APIs" in order to be "compliant with the OAuth spec."

Under its new extension, Facebook will provide "the option to reset expiration times for existing valid access tokens each time a user interacts with an application."

Existing applications that use the no-expiration access tokens provided by OAP, will still use those original tokens.

"The expectation was that Facebook was going to adopt the final version of OAuth 2.0 as published by the IETF," said Bradley. "They may still do that, but this is not a helpful sign."

Topic: Social Enterprise


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Facebook OAuth extension ruffles feathers, nixes user access permission

    Facebook implemented the multi token response type per the OAuth 2.0 spec, they have just not officially documented it.
    You can ask for 'response_type=signed_request' and extract code from the token and then trade that at there Token endpoint for a long-lived access token and if they wanted to implement it a refresh_token that would allow the client to get new access_tokens. They do have spec compliant ways to get a long lived access token to a client that they seem to have implemented if not documented.

    Leaving the privacy issues for others to take up, this looks more like confusion on their part than something malevolent.

    Perhaps they need an open standard with documentation for authentication:)

    John B.
    John Bradley (VE7JTB)
  • RE: Facebook OAuth extension ruffles feathers, nixes user access permission

    Facebook's developer documentation is terrible. Nothing indicates the deprecation of offline_access in the docs. In fact, the docs still tell developers to use offline_access for applications that need to post to a page while the user is not online. I have an app that lets users schedule posts for the future, but I see no way to make that work when the new tokens expire in 60 days.