This is a good time to remind ourselves: Facebook's API is a service and can be a single point of failure for your business. Unlike AWS, you don't even pay for it and it has a history of being problematic[1].<p>Allowing users to log in to your application using Facebook is quite common. It can be easier for users. It can give you access to demographic data with less work. But the API can die, change, or act generally unpredictable. And you have zero control over it.<p>This particular issue is impacting 9gag, Pinterest and others. Whilst many of these sites support user logins without Facebook, just as many of them don't. Imagine if tomorrow Facebook charge to connect to their API or there's some extreme exploit. How much damage would your application face?<p>[1]: <a href="http://techcrunch.com/2011/08/11/facebook-wins-worst-api-in-developer-survey/" rel="nofollow">http://techcrunch.com/2011/08/11/facebook-wins-worst-api-in-...</a>
For omniauth/rails people out there, we found this to work.<p><pre><code> fb_options[:client_options] = {
:site => 'https://graph.facebook.com',
:authorize_url => 'https://www.facebook.com/dialog/oauth',
:token_url => '/oauth/access_token'
}
provider :facebook, api_key, secret_key, fb_options</code></pre>
I wonder if Facebook stores it's password in clear-text, since you can login with either 'Password' or 'password', does it hash the first character and the rest into 2 different hashes? If not, we have a our passwords in readable form in their database that have huge privacy and security issues.
I was having lunch recently with a few developers, and the topic of "What is the worst API you ever had to work with" came up. The unanimous answer was immediately "Facebook". Everything from the documentation, to multiple ways to do similar things (each of them incompletely documented), to deprecations that never actually go away, to arbitrary breaking changes.
I have to admit that I sort of struggled to understand what Facebook were trying to communicate to me when that message popped up on my account.<p>Maybe if you worked with the Facebook login system / followed their API frequently it would have made sense. For someone who once integrated Facebook logins into their site it felt a little bit cryptic.