4

Lets say I have a website where I allow users to perform actions (communicate, post photos, etc) on their friends on my site (they are friends on Facebook). This is private information between User A and User B.

Before the new Open Graph [beta] I would encode as much information as needed in the original POST request. But now Facebook has moved to a more "callback" scheme where I do a simple POST and provide a URL which FB then hits via GET and I provide series of og: tags to describe the core content - all of this is the information that I would have PREVIOUSLY provided in the first and only POST request.

Here in lies the problem though: I have to provide a completely un-authenticated URL for FB to hit (the GET) and it has to be the same URL the app will use in the Timeline, so I cannot make a special, secure by obscurity URL as the callback, but provide a "friendly" URL (which would require authentication) to be used as the click through URL in the timeline.

Am I understanding this correctly?

EDIT: this would also be a different issue if FB when doing the callback GET would provide some kind of authentication data in the URL or HTTP headers, but after examining the complete HTTP details in the GET request FB is giving us nothing other than a special User-Agent that we can use to differentiate the request.

UPDATE: I believe this question is driving at the same issue. IF we can provide a different og:url on our gibberish "callback" page then it would make things a lot easier.

Can You Have Your OpenGraph Object Link to a Different URL?

Cody Caughlan
  • 32,456
  • 5
  • 63
  • 68

1 Answers1

0

Are you sure open graph is the best solution for your application?

By definition the actions go into a user's timeline so if you simply want to share a generic action "i.e. Ted answered Cody's question" but not link to that answer as it is private, why not build a static page with the generic information in og: tags and place your link back to that. This way you can share the activity without exposing the details.

In our application many postings occur in in-accessible pages so we've altered public pages to dynamically expose the right og: data when Facebook goes looking. It's not perfect as users can see it but this way we can show nothing for a private entry and everything on a public one.

Ted S
  • 327
  • 2
  • 13
  • Well, I think OG is the right approach. I mean, the approach is still to leverage Facebooks inherent security controls and privacy, so our action is not truly private between User A and User B - it should be visible my mutual friends, etc. Or whichever privacy level we decide to use. That being said, this new OG approach implies I make a TRULY public URL to describe this interaction between User A and User B. Of course to make these URLs not guessable means I have to make them secure by obscurity and use random seeming URLs (?) – Cody Caughlan Sep 27 '11 at 16:00
  • We do want our action information to be visible across the graph as defined by User A and User B - mutual friends, friends of friends, etc. – Cody Caughlan Sep 27 '11 at 16:03
  • My point is this: we're NOT trying to do anything different than the previous Graph API - its just that the new OG model implies we make "public" URLs (e.g. ones not behind any kind of authentication) for "private" information that was previously specified in the run-time `POST /wall` or whatever. Facebook has required us to increase exposure. I just find that odd – Cody Caughlan Sep 27 '11 at 16:05