Reputation: 121
facebook authentication via Client SDK - Security Concept
I think I don't fully understand the way the facebook OAuth-API handles authentication. As far as I understand, it works basically like this (client being an Android phone, my server a standard LAMP-setup): fb auth http://i.imagebanana.com/img/hvlsb2dp/fbAuth.png
Now the issue is, the client can of course fake step number 3 by submitting a wrong userID to my server - for example if my server responds to the request http://server.com/getConfidentialData.php?fbID=%FBID% , and the user manages to get the fb-userID of someone else, he could just put that into the request and he'd get the data that belongs to someone else.
If I use the PHP-SDK, how can it know whether my user is logged in in the Android-App or not?
Is that the way it's supposed to work, or am I missing something?
Thanks, David.
Upvotes: 2
Views: 241
Answers (2)
Reputation: 3407
The only true solution:
The moment you have a server with private user data and not everything is on Facebook, you need to do the server-side login which is not hard to implement once you understand the flow.
Check the diagram at Facebook and follow the guidelines they provide in this example and you are good to go.
https://developers.facebook.com/docs/howtos/login/server-side-login/
Upvotes: 1
Reputation: 3407
I have exactly the same problem... And the same sensation, but since you don't have any answers I'll take you around what I found.
I have designed the following solution:
I send to my server the fb userID, his e-mail (as to identify him in my server) and his access token (everything through https as if it was an special login call).
From my server I try out the access token, and if this one works(*) I log&update/register the user in my server too.
(*) I defined works first as if I could access the user e-mail, but then any other app with that permission could impersonate my user, so now I extend the token life which only works if the token comes form my app.
I hope this helps, and meanwhile, if anyone could have a real solution to this problem and explain to us how others avoid this, I'd be grateful.
Cheers!
Upvotes: 0
Related Questions
- Security concerns for using FBSDKLoginManager for IOS
- Mixing client-side authentication with server-side authentication
- Facebook Connect - Authentication and Security
- Doubts about Security in Login for Web with Facebook Oauth JavaScript SDK that send ACCESS TOKEN to server
- Facebook JS SDK does not need app secret to authenticate : How secure is it?
- Facebook Authentication for a Web API service/mobile app
- Is Facebook's client-side auth secure enough?
- Security of facebook login (Javascript SDK)
- Client Side Authentication against Facebook
- OAuth2 security considerations for client_id