Maintaining privacy when publishing actions to Facebook using Open Graph

For the new Open Graph Protocol to work we push an action by sending a request which includes the objects url to Facebook.

Facebook开发者_高级运维 then sends out it's bot with a special user agent string to get the information about the object.

The information being pushed to Facebook could be user specific (not just a book or recipe) and therefore should only be accessible to the user and their friends.

My question is, other than checking the user agent (easily spoofed) and using tough-to-guess urls for my objects, is there any way to stop people accessing what is essentially private information (via the objects unique url)?

Some examples of objects which might be private... a run, anything to do with weight loss, a photo album.

After plenty more research, I'll have a good go at answering my own question.

If your app contains information you would like to keep private to those who created it (for example a weekly dieting update) you must ensure your object Open Graph urls aren't guessable. That means when you call the api, or do it via curl...

curl -F 'access_token=[access_token]' \
-F 'object=http://example.com/[object_url]' \ 'https://graph.facebook.com/me/[namespace]:[action]'

..you want to ensure that the [object_url] is not guessable. A good way to do that is to include the objects id AND some other unguessable hash / string.

The steps above ensure only you and Facebook will ever know where the objects information is located allowing you to hand it over, and even to update it occasionally. Even if someone did manage to get access to one object url they could still not access any others.

The second part of the security issue is on the graph side, but as you can see from the result of clicking the following link, you must have an access_token to view an application graph object so this is also secure and private:

http://graph.facebook.com/10150300390106292

I hope this helps someone at some point. It confused the hell out of me.

You're going to have to implement a "protection" on your side. Only the authed users should see what you have shared.

In your site design you should consider the display of content on your site based on: Logged out user Facebook user, not a user of your app Facebook user, user of your app, but not allowed to see all of this content Facebook user, user of your app and allowed to see the content

This way you will handel each scenario correctly. You van use the "protected" views to drum up new users of to encourage more sharing in your app.

When a user "adds the app" they will be able to select the sharing rules for this app. You need to make sure that you implement an authority model that is appropriate for your content and how it is shared with between users.