Violet Hill

Violet Hill

Sunil Arora  //  

 
Jul 28 / 9:07am

Parsing signed_request parameter in Python based Facebook Canvas application

Recently Facebook announced a new way to passing user information who is viewing your Facebook canvas application using "signed_request" parameter which is implemented on top of new signature scheme based on OAuth2.0 proposal. Facebook documentation describes "signed_request" as

The signed_request parameter is a simple way to make sure that the data you're receiving is the actual data sent by Facebook. It is signed using your application secret which is only known by you and Facebook. If someone were to make a change to the data, the signature would no longer validate as they wouldn't know your application secret to also update the signature.

Facebook's python-sdk does not support parsing request parameter. Today at work, I had to write this piece of code snippet for parsing "signed_request", so thought of sharing it here.

I know there is some cryptic code in base64_url_decode because translate, maketrans does not work that well with unicode strings. Anyways, if you have any questions, just drop a line in the commments below or message me @_sunil_.

18 comments

Sep 24, 2010
Mark Lavin said...
Thanks for this post. You saved me from converting their php to python. Just wanted to give you a heads up that I submitted this as an issue against the python-sdk on github referencing your gist.

http://github.com/facebook/python-sdk/issues/#issue/34

Oct 14, 2010
Dave Barker said...
Thanks for sharing this, very handy!
Oct 24, 2010
Jeffrey Paul said...
Excellent work and excellent code. Is it public domain?
Oct 25, 2010
Sunil Arora said...
@jeffery @dave @mark , glad that you guys found it useful. That was the intension of sharing this code.

@mark thanks for posting it to python-sdk on github.

@jeffery yes the code is in public domain.

Nov 13, 2010
Toby said...
I've been trying to work out how on earth to do this for the last week or so! Thank you VERY much for the code snippet! One step closer to server-side Facebook authentication checking!
Dec 26, 2010
aditya tiwari said...
you saved me few mins, thanks
Jan 09, 2011
haxpor said...
Thanks Arora,
also i would like to know as well when that facebook posts back this piece of data "signed_request" to application ?
Jan 20, 2011
ashis said...
Do you have a md5 version of that. I can not get haslib in my server for some constraint.
Feb 05, 2011
adamJLev said...
Thanks, you just saved me a lot of time!
Feb 26, 2011
Dasha said...
Thank you! Saved me some time too
Mar 04, 2011
Dirk said...
Thanks, exactly what I needed!
Mar 08, 2011
Denis said...
there is urlsafe_b64decode function in base64 module that does exactly the same thing
Apr 02, 2011
Kingsley Joseph said...
Thanks very much for this. Saved me at least an hour's work!
Apr 26, 2011
Steve Trefethen said...
Thanks. I'm glad I stumbled into this post as it will save me time like it did others before.

Much appreciated.

Jul 29, 2011
Gijora said...
Thx for sharing this, you made my day!
Sep 29, 2011
Joseph Henrich said...
That's the first bit of facebook oauth2 related code I've seen that *just works*

Much appreciated

Sep 29, 2011
Sunil Arora said...
Thanks Joseph, glad that this blog post has helped so many people :). Infact, the same method can be used to parse cookie set by facebook JS SDK, all you have to do is treat cookie (fbsr_APPID) as signed_request.
Nov 14, 2011
Alex said...
Thank you!

Leave a comment...