When you register a facebook application you get
application id: 123455678 application key: hkjhkh3434hkklljk application secret: jkjljlj1233455jk
For OAuth 2 only application id (a.k.a. client_id) and application secret (a.k.a. client_secret) are userful.
Wondering what's purpose of the application key? Is it for some backend purpose? If yes, then what's point of exposing.
I'm just thinking loud here.
I guess this is only present for backward compatibility, specifically for old Facebook Connect implementation and REST API where the APP_KEY was used.
As you can see in the FB.init Javascript-SDK:
<div id="fb-root"></div>
<script>
window.fbAsyncInit = function() {
FB.init({
appId : 'YOUR APP ID',
status : true, // check login status
cookie : true, // enable cookies to allow the server to access the session
xfbml : true // parse XFBML
});
};
(function() {
var e = document.createElement('script');
e.src = document.location.protocol + '//connect.facebook.net/en_US/all.js';
e.async = true;
document.getElementById('fb-root').appendChild(e);
}());
</script>
They don't mention the apiKey which is the code used with the NEW PHP-SDK.
Now if you go to the old connect-js example:
FB.init({ apiKey: '48f06bc570aaf9ed454699ec4fe416df' });
So debugging the connect.facebook.net/en_US/all.js file (using JSBeautifier):
FB.provide('', {
init: function (a) {
a = FB.copy(a || {}, {
logging: true,
status: true
});
FB._apiKey = a.appId || a.apiKey;
if (!a.logging && window.location.toString().indexOf('fb_debug=1') < 0) FB._logging = false;
FB.XD.init(a.channelUrl);
if (FB._apiKey) {
FB.Cookie.setEnabled(a.cookie);
a.session = a.session || FB.Cookie.load();
FB.Auth.setSession(a.session, a.session ? 'connected' : 'unknown');
if (a.status) FB.getLoginStatus();
}
if (a.xfbml) window.setTimeout(function () {
if (FB.XFBML) FB.Dom.ready(FB.XFBML.parse);
}, 0);
}
});
You can see here that it's checking the presence of apiId or apiKey and then trying to call the graph api and else the rest api:
FB.provide('', {
api: function () {
if (typeof arguments[0] === 'string') {
FB.ApiServer.graph.apply(FB.ApiServer, arguments);
} else FB.ApiServer.rest.apply(FB.ApiServer, arguments);
}
});
And:
graph: function () {
var a = Array.prototype.slice.call(arguments),
f = a.shift(),
d = a.shift(),
c, e, b;
while (d) {
var g = typeof d;
if (g === 'string' && !c) {
c = d.toLowerCase();
} else if (g === 'function' && !b) {
b = d;
} else if (g === 'object' && !e) {
e = d;
} else {
FB.log('Invalid argument passed to FB.api(): ' + d);
return;
}
d = a.shift();
}
c = c || 'get';
e = e || {};
if (f[0] === '/') f = f.substr(1);
if (FB.Array.indexOf(FB.ApiServer.METHODS, c) < 0) {
FB.log('Invalid method passed to FB.api(): ' + c);
return;
}
FB.ApiServer.oauthRequest('graph', f, c, e, b);
},
rest: function (e, a) {
var c = e.method.toLowerCase().replace('.', '_');
if (FB.Auth && c === 'auth_revokeauthorization') {
var d = a;
a = function (f) {
if (f === true) FB.Auth.setSession(null, 'notConnected');
d && d(f);
};
}
e.format = 'json-strings';
e.api_key = FB._apiKey;
var b = FB.ApiServer._readOnlyCalls[c] ? 'api_read' : 'api';
FB.ApiServer.oauthRequest(b, 'restserver.php', 'get', e, a);
},
As you can see here, it's used with the Old Rest API, reading the documentation there:
The REST API supports both OAuth 2.0 as well as an older, custom authorization signature scheme. See the authentication upgrade guide for information about how to upgrade your existing sessions to OAuth 2.0.
So the APP_KEY is definitely there for backward compatibility!
