Reputation: 108491
Facebook JavaScript API log in: What do I store in my own application's user records?
I'm tasked with integrating Facebook logins on a site I'm working on using their JavaScript API.
I can manage getting the authentication response back from Facebook just fine. I'm just not sure what to do with it.
What I need to do is during registration:
- Allow the user to sign up with a Facebook login.
- Store something in my own database on their account to look up at a later date when they login via Facebook.
Then when the return to the site:
- Establish that the user is logged into Facebook and get a FB access token.
- Securely, notify my API that the user is logged into Facebook, look up their account, and get a token for my own API.
I was just storing the Facebook ID and looking that up, but I realized that would be easily spoofed.
What is the most secure way to go about doing this?
Upvotes: 1
Views: 231
Answers (2)
Reputation: 96363
What is the most secure way to go about doing this?
IMHO: Doing it server-side.
If you pass the signed_request value you’re getting when doing client-side login via the JS SDK to your server, you can decode and verify it there to check that it’s authentic – because it is signed using your app secret, which no one else than you and Facebook (should) know.
Client-side you can’t have that level of secureness, because verifying the request is not possible without your app secret, but that has got nothing to do in client-side scripts ever.
Upvotes: 1
Reputation: 4017
First, you should read the Facebook documentation about authentication with Facebook. And also the JavaScript SDK documentation Generally the flow would be:
1) Check to see if they have already registered by calling FB.getLoginStatus(). If they have jump to step 4 2) User sees a Login with Facebook Javascript button on your site 3) User clicks on the button. They are sent to Facebook to authorize your app to access their account 4) Control is returned to you with the Open Graph 5) Your app goes on it merry way with whatever it needs to do
Make sure you read up on Facebook Permissions, so you know what Permissions to ask for. If you need to request additional permissions, then you need to send the user through the whole authorization process again.
Upvotes: 0
Related Questions
- Where should I store my facebook appid? Does it need to be secured?
- How to securely authorize a user via Facebook's Javascript SDK
- What protects my Facebook application from being impersonated?
- Facebook OAuth in Node.JS: storing the access token
- Facebook Login JS SDK secuity
- How to store information from Facebook SDK login
- What should I store after a "Login using Facebook"
- facebook login Server-side Apps with javascript sdk
- Security of facebook login (Javascript SDK)
- Facebook API: How to authenticate a web app