For the new Open Graph Protocol to work we push an action by sending a request which includes the objects url to Facebook.
Facebook then sends out it’s bot with a special user agent string to get the information about the object.
The information being pushed to Facebook could be user specific (not just a book or recipe) and therefore should only be accessible to the user and their friends.
My question is, other than checking the user agent (easily spoofed) and using tough-to-guess urls for my objects, is there any way to stop people accessing what is essentially private information (via the objects unique url)?
Some examples of objects which might be private… a run, anything to do with weight loss, a photo album.
After plenty more research, I’ll have a good go at answering my own question.
If your app contains information you would like to keep private to those who created it (for example a weekly dieting update) you must ensure your object Open Graph urls aren’t guessable. That means when you call the api, or do it via curl…
..you want to ensure that the [object_url] is not guessable. A good way to do that is to include the objects id AND some other unguessable hash / string.
The steps above ensure only you and Facebook will ever know where the objects information is located allowing you to hand it over, and even to update it occasionally. Even if someone did manage to get access to one object url they could still not access any others.
The second part of the security issue is on the graph side, but as you can see from the result of clicking the following link, you must have an access_token to view an application graph object so this is also secure and private:
http://graph.facebook.com/10150300390106292
I hope this helps someone at some point. It confused the hell out of me.