Reputation: 1142
Sharing Facebook Access Tokens Across Apps
I want to provide a service using the facebook api to third parties. Is it possible for us to share access tokens? If the third party gives my service a user's access token, can I access that users data even if my app_id & secret do not match the app that requested it?
Should I have the users go through a separate oauth flow on my site even if they have already completed it for the other third party?
Thanks.
-ken
Upvotes: 2
Views: 7555
Answers (3)
Reputation: 2319
Even that user access token is issued only for one app it can be easily used from any other application.
Example:
- Get access token for "Graph API Explorer" application here https://developers.facebook.com/tools/explorer/?method=GET&path=me and make a request - you will see your data.
- Copy access token and open other machine|browser and go to https://graph.facebook.com/me?access_token=[access_token] - you still able to retrieve information about your Facebook user!
Here https://developers.facebook.com/docs/concepts/login/access-tokens-and-types/ it mentioned that
Our Data Policies explicitly prohibit any sharing of an Access Token for your app with any other app. However, we do allow developers to share Tokens between a native implementation and a server implementation of the same App (ie. using the same App ID) as long as the transfer takes place using HTTPS.
Upvotes: 10
Reputation: 1650
Regarding:
Is it possible for us to share access tokens?
and,
can I access that users data even if my app_id & secret do not match the app that requested it?
The answer is No. From the specs OAuth2 section 10.3:
Access token credentials (as well as any confidential access token attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued.
Should I have the users go through a separate oauth flow on my site even if they have already completed it for the other third party?
The answer is Yes. If you're using facebook as authorization server, and you restart the oauth flow again, your user will only need to approve your other app (third party).
Upvotes: 5
Reputation: 3261
Each access token is issued only for one app - it cannot be used with different application IDs.
Upvotes: 4
Related Questions
- Using other facebook app access token
- Share Facebook User ID between more than one application
- Facebook authentication token on multiple devices
- Persistant access token across multiple ios devices?
- Shared Facebook Access Token between Website and Mobile Application
- Facebook API friends who use same app android
- Sharing Facebook access token between iOS and website
- facebook user access token across different platforms
- Share Facebook App ID across multiple apps
- can facebook authentiation tokens be shared between applications