Facebook OAuth extension ruffles feathers, nixes user access permission

Facebook has drawn the attention from the IETF with a new proprietary extension it developed for an emerging authentication protocol. The extension alters the way user permissions are set for long-life access tokens.

Facebook has developed a non-standard extension to an emerging standard authentication protocol, raising the hackles of some and eliminating the need for end-users to explicitly approve specific ways applications act on their behalf.

Currently, Facebook applications using the site's Offline Access Permission (OAP), contained in the Facebook Graph API, are required to get explicit permission from an end-user to provide an access token that does not expire.

Now, Facebook is migrating developers off OAP and replacing it with a proprietary way to enable use of access tokens initially valid for 60 days but with the capability to be extended behind-the-scenes each time the user accesses the application.

In essence, end-users get similar offline functionality without having to specifically opt into an offline feature. The way access tokens expire is if users stop using the app, change their password or de-activate the application.

Offline access allows an application "to perform authorized requests on behalf of the user at any time. By default, most access tokens expire after a short time-period to ensure applications only make requests on behalf of the user when they are actively using the application," according to Facebook.

In order to pull off the behind-the-scenes maneuvers, Facebook has created a proprietary extension for Open Authorization (OAuth) 2.0, an authentication/authorization protocol that is near approval as an official Internet Engineering Task Force (IETF) standard.

That proprietary extension caught the eye of IETF OAuth working group member John Bradley, who also is helping develop a separate protocol based on OAuth called OpenID Connect.

"I don't know why Facebook felt compelled to invent a new way to do this," says Bradley. OAuth 2.0 provides a mechanism to use a "refresh" token to get other access tokens.  "Facebook is doing something non-standard."

Bradley says 6-8 months ago Facebook proposed to the OAuth working group a way for the protocol to pass a short-lived access token that in the background could be exchanged for an access token with different properties.

"It was accepted," said Bradley, adding that Google and OpenID Connect have since incorporated that OAuth 2.0 addition. "Facebook could have adopted the way OAuth handled the situation instead of inventing something new."

Facebook has not responded to email asking about the proprietary extension for OAuth, and the planned migration that will end May 1 when the changes become permanent.

The company has been supportive of OAuth development.

In May of last year, Facebook said that migrating to OAuth and HTTPs was in the best interest of its end-users and developers. "Having a single standard for authentication and apps served through HTTPs allows us to provide a simpler, more secure, and reliable platform."

In October, OAuth became the official authentication standard for the social site, and in December, Facebook made changes to its "auth APIs" in order to be "compliant with the OAuth spec."

Under its new extension, Facebook will provide "the option to reset expiration times for existing valid access tokens each time a user interacts with an application."

Existing applications that use the no-expiration access tokens provided by OAP, will still use those original tokens.

"The expectation was that Facebook was going to adopt the final version of OAuth 2.0 as published by the IETF," said Bradley. "They may still do that, but this is not a helpful sign."

Show Comments