Reputation: 1458
Pass facebook access token from mobile client to server and process
I am hoping to work on a REST API that would interface with a mobile client. I am think of implementing the following flow and hope you guys can set me off in the right direction:
- User accesses the mobile app and then will signup with facebook (app)
- Once the user successfully authenticates himself, the generated token is passed to the server (via an API endpoint)
- The server will accept this token and will attempt to query the facebook server using this token and process the returned information
Is this possible? And am I heading in the right direction ?
Upvotes: 4
Views: 573
Answers (1)
Reputation: 1332
Not only this is possible, but this is the approach which Facebook recommends. This is called "token debugging" in FB parlance.
The token will need to be checked and validated by your server, by calling the token debug Facebook api.
If you don't validate the token on the server, your app could be subject to various attacks, e.g. another developer could use a token generated on another app to gain entry.
The correct approach is:
- testing that the user is the one to whom the token belongs to
- that your app is the same for which the token was generated
- that the token itself is valid.
You can manually inspect a token, in order to test your code with an online tool: https://developers.facebook.com/tools/debug/
Upvotes: 3
Related Questions
- Facebook PHP Sdk Access Token
- Facebook PHP SDK - How to get access token?
- How to send client access token with app secret to Facebook account kit and get the resons
- facebook-php-sdk serverside graph api call with app token
- How to work with Facebook App Access Tokens?
- How to get user access token though server-side authentication
- Facebook SDK - getting access token when user logged in
- how to use graph api access token in php for facebook sdk
- Facebook PHP SDK get access token using php
- Get/store Facebook access token from REQUEST in PHP SDK 3.0