To spare you the time, there is no way to integrate Facebook in a WRT widget at the moment and I don’t see it becoming possible at all. Now, let me share with you some obstacles which we stumbled upon and what solutions we have come up with while trying to add Facebook functionality to a WRT widget.

As you probably know, Nokia WRT environment is targeted at web developers familiar with HTML/CSS/Javascript set of technologies who should be able to utilize that knowledge in creating mobile apps. Very neat idea, not so well implemented though, but that might be a topic of another post.

Since Nokia WRT is a mobile web platform, it’s reasonable to try to find a solution for this task in the facebook documentation for mobile web applications. But a WRT widget is not really a web page in the sense that HTML file is not served from the web server but it’s stored and rendered locally on the device. So there isn’t a predefined URL on which a WRT widget is loaded. That’s one of the problems because when you register an app on Facebook, you need to enter a URL of your web application. That URL is used to ensure that some other web application is not trying to misuse your Facebook application. It is also used in an authentication protocol as the URL which Facebook will redirect the browser to after the user has logged in to Facebook. But let’s just use a dummy URL since libraries for other mobile platforms do the same thing.

First idea that we’ve come up with was to put an iframe in the app and do the authentication flow in it. Intercept the redirect after the user has logged in and get the access token. But that didn’t work because it would be a security risk. Web developer could get to user’s Facebook credentials entered in the iframe. So Facebook makes sure that authentication flow doesn’t work in an iframe.

If we can’t use the iframe, maybe we could use a real URL with some server side code. In addition to some parameter forwarding between the Facebook and the widget, it would redirect the WRT webkit instance back to the widget after Facebook authentication is done. We’ve actually made a prototype which does that using a neat little trick:

history.go(-history.length+1)

But then we realized the biggest problem with a WRT widget is that the source code of the widget is public. Anyone can download the wgz package from the mobile device, extract the code and read it. Meaning, anyone can get to the private key of the facebook application.  Game over.

One other option left was to add an APIBridge component and compile the private key in it, but we were already doing too much hacking even without the APIBridge. We decided to drop the whole WRT widget thing and do a QWebKit application instead. Qt has a Facebook Connect library which is actually an iOS/Android port. The transition from WRT Widget to a QWebKit web application was painful in parts, but at least we’ve finished the project with all Facebook functionality needed and without any security holes.

In the mean time, a project appeared on the Nokia forum that should resolve this issue, but it’s empty for a while now. We are looking forward to see if anyone comes up with a solution for this one. Until then, we advise you to go with the Qt application.

0 comments