Reputation: 3878
Facebook: How to get app id from user's access token - using /app?access_token=TOKEN?
We're allowing a user to access our backend (using a REST api over https with json replies) using only a facebook access token as a credential, so we want to do two things:
verify the access token and find the user's id - which is just a call to https://graph.facebook.com/me?access_token=TOKEN
Make sure that this access token belongs to our facebook app. You can call https://graph.facebook.com/app?access_token=TOKEN, but this seems to be an undocumented feature (and one which is sometimes rather slow).
Can anybody tell me whether this is in fact a standard method which is likely to stay there? Or is there another way of doing what we want to do: to verify that a user's access token is valid and comes from our facebook app.
You can call me/permissions and me?fields=installed, but neither of these seem to tell me WHICH facebook app we're checking.
Upvotes: 5
Views: 7761
Answers (3)
Reputation: 315
This is old, but I've recently just had the same worries. I think the most straight forward way to do this is checking the access token with debug_token.
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
Reference: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken
Upvotes: 4
Reputation: 12072
You should implement an authentication flow as described in the docs (client or server side). Basically you get a fresh access token by authenticating the user with your app and use that token for requests to your server. This way you can be sure that the token "belongs" to your app. Steps to do:
- Initialize a Facebook SDK of your choice with your app ID.
- Check whether the user has already authorized your app.
- If the user has already authorized your app you get his or her Facebook user id together with the token (which "belongs" to your app), if not: authenticate the user and get the token.
The docs provide you with sample code and lots of details:
- For client side authentication look especially at Status & Sessions
- For server side authentication have a look at 4. Exchange the code for a User Access Token
UPDATE:
The feature you mentioned is documented here (scroll down to 2. Make requests to the API):
An app access token allows you to make requests as an application, not a user. To retrieve the details of your application, perform an HTTP GET on:
https://graph.facebook.com/app?access_token=APP_ACCESS_TOKEN
Hence the feature is likely to stay.
Upvotes: 4
Reputation: 106
You can pass signed_request insted of access_token with every request. Parameter signed_request based on secret key of your application and you can simple verify it. Read documentation about signed request.
Upvotes: 2
Related Questions
- How Do I Find an App ID from an App Scoped Facebook ID
- Getting App Access Token for facebook app?
- Get Facebook User ID from app-scoped User ID
- Facebook Graph API: getting an access token with an app ID and secret
- Getting Facebook Access Token from User Id and Facebook App Secret?
- Get access token with appid and userid
- Getting Facebook App ID's via API Key/Secret
- How to get the facebook app_access_token?
- How to get AppID based on valid AccessToken and/or Facebook.FacebookClient object
- Facebook API get user accesstoken for app