Update coming? OAuth 2.0 authentication system???

  • Hi!

    I use WP-FB-Autoconnect! Any plans to update this to the new Login-Mode or should i switch to another plugin!?
    Facebook will block the plugin in the next 48 hours!

    Thanks for your support!
    Maxx

    E-Mail from Facebook when using this Plugin:

    Our automated systems have detected that you may be inadvertently allowing authentication data to be passed to 3rd parties. Allowing user ids and access tokens to be passed to 3rd parties, even inadvertently, could allow these 3rd parties to access the data the user made available to your site. This violates our policies and undermines user trust in your site and Facebook Platform.

    In every case that we have examined, this information is passed via the HTTP Referer Header by the user’s browser. This can happen when using our legacy authentication system and including <iframe>, <img> or <script> content from 3rd parties in the page that receives authentication data from Facebook. Our legacy mechanism passes authentication information in the URL query string which, if handled incorrectly, can be passed to 3rd parties by the browser. Our current OAuth 2.0 authentication system, released over a year ago, passes this information in the URL fragment, which is not passed to 3rd parties by the browser.

    Please ensure that you are not allowing this data to be passed immediately. Accessing your site as a test user while running a HTTP proxy/monitor like Charles or Fiddler is the best way to determine if you are allowing this information to be passed. If you discover the issue, you can do one of two things:

    1. Migrate your site to use our OAuth 2.0 authentication system. We are requiring all apps and sites to update to this mechanism by Sept. 1, 2011. Migrating now will address this issue and ensure that you are one of the first to meet the deadline. For more details, please see our Authentication Guide.

    2. Create and use an interstitial page to remove the authentication data before redirecting to your page with 3rd party content. This approach is used by many of our largest developers today (although they are all migrating to OAuth 2.0 shortly). This is a simple and straightforwardchange that should have minimal impact on your site. For more details on this approach, see our Legacy Connect Auth doc.

    Because of the importance of ensuring user trust and privacy, we are asking you to complete one of the above steps in the next 48 hours. If you fail to do so, your site may be subject to one of the enforcement actions outlined in our policies.

    If you have any questions or believe you have received this message in error, please contact us.

    Facebook Developer Relations

Viewing 4 replies - 1 through 4 (of 4 total)

  • I received the same notification!

    Thread Starter metalmaxx

    (@metalmaxx)

    The official information from the developers blog you can find here:
    https://developers.facebook.com/blog/post/497

    Does it mean, WP-FB Autoconnect get blocked in the next hours?

    To all WP-FB Autoconnect Users!
    Update:
    On May 15, 2011, Facebook started sending out security warnings for applications that still use the old REST API. Premium users should select the option to “Use the new Graph API” immediately; I will be working to make this a free feature in the near future, hopefully within the next few days. If you have any issues with the new API, please see FAQ33.
    If want to be absolutely certain to get it resolved within 48 hours you can of course purchase the add-on now (as Facebook allowed virtually no time to comply)…but again, I do hope to get it resolved in time, if I can.
    Please do not report this problem to me as I’m aware of it and working to get it fixed.

    Mee too!

    Plugin Author justin_k

    (@justin_k)

    Plugin has been updated to use the new Graph API.

    For future reference, support for this plugin is here:

    https://www.justin-klein.com/projects/wp-fb-autoconnect

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Update coming? OAuth 2.0 authentication system???’ is closed to new replies.