Reputation: 3059
Check if user facebook ID and session from mobile client are real?
I have a mobile app, and the user can sign in using facebook. So on the client, I'll get their facebookId, and a session token.
Now I want to send the facebook ID up to my server to link to their account. But I want to verify that the ID is trusted - if I also send the session token from the client to the server, is there a facebook API which will let me verify that a facebook ID + session token is real?
Example of the client talking to my server:
https://example.com/myservice/getMyAppAccountInfo?fbId=123&fbSessionToken=abc
now on my server, can I ask facebook if the ID and session token are correct? I don't want a malicious user just grabbing someone's facebook ID then impersonating them.
Thanks
Upvotes: 0
Views: 737
Answers (1)
Reputation: 3059
Ok so I ended up calling this server-side, using the facebook session token supplied by my client:
https://graph.facebook.com/me?access_token=tokenSuppliedByMyClient
if the access_token is real, then you'll get a json response that is the facebook user object associated with that session token:
// the facebook user object associated with the session token:
{
"id": "123",
"name": "...",
...
}
then I compare the "id" attribute in the json to the facebook ID supplied by the client. If everything matches up at this point, I'll trust the client.
Upvotes: 1
Related Questions
- How to check if user is logged in with FB SDK 4.0 for Android?
- How to verify a user is a real Facebook user
- Android, check if user is logged with Facebook
- how to check user id is verified or not graph api
- Check for a valid Facebook Session
- How to detect if user have an iOS integrated Facebook account setup before request session?
- How do I check if a given user ID has authenticated my app?
- Check if the facebook session is valid
- Detect user mobile device on Facebook graph API
- Check if logged into Facebook Application (Mobile), via Mobile Web