Earlier this year, Facebook announced plans to have its application developers transition to OAuth 2.0. It spent the last few months updating its PHP and JavaScript SDKs.

Unfortunately, their Python SDK was not so lucky. In July, they quietly announced that the Python SDK would be unsupported by Facebook in the future.1 If you are using the formerly-official Python SDK for Facebook, you need to figure out how to update your applications on your own.

If you built your own OAuth authentication workflow, you can easily modify it using Facebook's authentication documentation (see the "Client-side Flow" section). However, many Python developers constructed their application to work with the JavaScript SDK (because that's what Facebook suggested). Since the OAuth 2.0-compatible JavaScript SDK's source will not be available until December2, it is not clear what in the Python SDK needs to be updated.

Since I have a number of web applications that need to be updated, I decided to take a crack at this last week. I quickly deduced that the JavaScript SDK used a different, encrypted cookie format. This meant that the get_user_from_cookie function in the Python SDK would need to be updated.

Previously, the JavaScript SDK created a cookie with a prefix of fbs_. The Facebook user ID and access_token were stored in a plain-text dict. With OAuth 2.0, Facebook is now using a cookie prefix of fbsr_ and encrypting its cookie data. Using the source of the PHP SDK and relying on my experience authenticating with application-specific tokens, I wrote code to decrypt the information in the cookie, send it to Facebook's OAuth endpoint, and return the access_token in the same format (plain-text dict) as the previous Python SDK, so that I was not forced to rewrite the rest of my application.

Unfortunately, the code is too long to post here, but you can view it at my fork of the Python SDK the pythonforfacebook fork of the SDK on Github. I am not certain that it is bug-free, but it seems to work fine on MP3 Gift.


  1. This change came without any warning, after several months of silence. Facebook also deleted the bugtracker on the Python SDK's Github repository, deleting a significant amount of the conversation about the best fixes for errors found in the original code they produced. As you can imagine, this fragmented the community. There are several forks of Facebook's code on Github, but there is no longer any conversation about bugfixing or features, let alone best practices.

    While one of the themes of Facebook's Developer Love initiative is "communication", this significant change was virtually hidden. There was no post on the developer blog announcing the change. The Python SDK's source has still not been updated to warn new developers that it is unsupported. I suspect that the only reason that the bug was updated was to provide sufficient rationale for closing it. 

  2. Like Android, Facebook's JavaScript SDK uses the Apache License 2.0, which does not require releasing newer versions of software under the same license.