Last week, for some reason, I had multiple requests for an example of ColdFusion and OAuth integration. I ended up creating quick demos for Facebook, LinkedIn, and Google. This week I’ll be blogging each in turn in the hopes that these entries can help others. Today, I’m going to share the Facebook code. Before I begin, I want to warn folks. I wrote this code very quickly. It is not optimized. Also, the person I was helping was on ColdFusion 8. So the code isn’t exactly what I’d call up to date. Of course, it will run just fine with ColdFusion 10. I typically assume that folks take my code samples here as just that - code samples - but I wanted to be more clear that this code would probably not be exactly best practices.
To begin, ensure you have access to Facebook’s Developer portal (developer.facebook.com) and create a new application.
You can call it whatever you want, but the name should reflect your site in some way. Users will see this when your app launches so make it familiar. You can ignore the other two options.
On the next page, make note of your App ID and App Secret:
Click on “Website with Facebook Login” and enter a value for your site. You can, and probably should, use a local domain. In other words, you can enter something under localhost. Obviously this will change to a production URL once you’re done, but for testing, localhost is fine. For my testing I used: http://localhost/testingzone/cf8fb and clicked Save Changes.
That’s it for the Facebook side. Now let’s talk about the OAuth process in general. I’m not going to go very deep into this as OAuth has been discussed elsewhere and my focus here is to demonstrate a ColdFusion example, but at a high level, the process looks like this:
- Your site tells the user that you're going to send them to Facebook to authenticate/connect.
- You create a "special" link that includes some required crap in the URL. Along with the required crap, you will have some optional crap. So for example, many OAuth providers ask you to spell out exactly what you want to use from the user. I.e., how much private data you require. Your link will include that, and Facebook will then warn the user. I.e., "This site wants to take your lunch money, read your email, and have relations with your significant other."
- The user clicks and ends up at Facebook.com with a app-specific screen there. See the previous bullet point on how that screen may change.
- The user clicks Yes or No (or approve or whatever).
- Facebook sends you back to your site. In the URL will be a flag that you can check that will tell you if the user allowed your app. If they did, you will also have a special code.
- You take that code, make a request (using CFHTTP) to Facebook, to get a secret access token.