I'm developing iPhone application, that is based on communication with server, and I want to use Facebook authentication mechanisms. Basically, I think it should work like this: In my iPhone app, user logs in to Facebook, using his email and password. User allows access to his data for related Facebook application. My iPhone app receives access token, after successful log in. In further communication with my server, my iPhone application should use the received Facebook access token (for example: in queries). When my server receives some query from iPhone app, with access token, it should ask Facebook that this token is valid (and for who), and if yes, server should assume that user is authenticated with Facebook. My question is: how the server should ask Facebook if given access token is valid? I think I should somehow check if the token is valid for my Facebook app. I've tried many Facebook queries to graph API, that I've found, but nothing worked as I expected. Can you provide me some example?

Reputation: 1823

Facebook access token server-side validation for iPhone app

I'm developing iPhone application, that is based on communication with server, and I want to use Facebook authentication mechanisms.

Basically, I think it should work like this:

In my iPhone app, user logs in to Facebook, using his email and password.
User allows access to his data for related Facebook application.
My iPhone app receives access token, after successful log in.
In further communication with my server, my iPhone application should use the received Facebook access token (for example: in queries).
When my server receives some query from iPhone app, with access token, it should ask Facebook that this token is valid (and for who), and if yes, server should assume that user is authenticated with Facebook.

My question is: how the server should ask Facebook if given access token is valid? I think I should somehow check if the token is valid for my Facebook app.

I've tried many Facebook queries to graph API, that I've found, but nothing worked as I expected. Can you provide me some example?

Upvotes: 113

Answers (8)

Robin

Reputation: 2339

Update: this answer seems insecure since it doesn't validate the token first as belonging to your app, see the comments, original answer as follows:

I assume that you already have the access token in hand. In such a case the simplest way to validate an access token is to issue the following request

https://graph.facebook.com/me?fields=id&access_token=@accesstoken

Here replace @accesstoken with the access token you have. I will breakdown the url and will explain each.

We are issuing a graph api request here which will return the Facebook User Id of the owner of the access token as a JSON string. The keyword 'me' represents the currently logged in user or the owner of the access token. For this request access token is a mandatory parameter.

If the provided access token is not valid or expired Facebook will just return an error message of some sort.

For a valid access token the result will somehow look like this

{
   "id": "ID_VALUE"
}

Upvotes: 115

Helen Williamson

Reputation: 156

Another solution would be to use https://graph.facebook.com/app/?access_token=[user_access_token] as described by Get application id from user access token (or verify the source application for a token).

This appears to be an undocumented feature, but returns JSON containing the id of the app the token was generated for. If the token wasn't for your app, it returns a 400.

Upvotes: 11

sebastian the crab

Reputation: 1341

Here's a two step process you can use to validate that a user access token belongs to your App:

1) Generate an App Access token

(https://developers.facebook.com/docs/howtos/login/login-as-app/)

https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&client_secret=YOUR_APP_SECRET
&grant_type=client_credentials

2) Debug the User Access token

(https://developers.facebook.com/docs/howtos/login/debugging-access-tokens/)

https://graph.facebook.com/debug_token?
input_token=INPUT_TOKEN
&access_token=ACCESS_TOKEN

Where INPUT_TOKEN is the user access token you want to verify, and ACCESS_TOKEN is your app's token that you got from step 1.

The debug endpoint basically dumps all information about a token, so it'll respond with something like this:

{
    data: {
        app_id: YOUR_APP_ID,
        is_valid: true,
        metadata: {
            sso: "iphone-safari"
        },
        application: YOUR_APP_NAMESPACE,
        user_id: USER_ID,
        issued_at: 1366236791,
        expires_at: 1371420791,
        scopes: [ ]
    }
}

If that token isn't from "your app" then it will return an error response.

Upvotes: 119

Kamoris

Reputation: 505

This is the only secure method to verify user token using just one request:

https://graph.facebook.com/debug_token?input_token={token-to-inspect}&access_token={app_id}|{app_secret}

Note that a sign "|" in the above URL isn't used as OR but as separator and must be there after fill the other fields.

The response will be JSON looking like that:

{
    data: {
        app_id: {app_id},
        application: {app_name},
        expires_at: {some_number},
        is_valid: {true|false}
        scopes: {array_of_permissions},
        user_id: {user_id}
    }
}

Reference: https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens (above method is mentioned at the bottom of this section)

Upvotes: 2

Shoeb Ahmed Mogal

Reputation: 115

In the latest version of facebook (2.2) you can do it this way:

https://developers.facebook.com/docs/graph-api/reference/v2.2/debug_token

Sample output:

{
    "data": {
        "app_id": "THE APP ID", 
        "application": "APP NAME", 
        "expires_at": 1427245200, 
        "is_valid": true, 
        "scopes": [
        "public_profile", 
        "basic_info", 
        "read_stream", 
        "email", 
        "publish_actions", 
        "read_friendlists", 
        "user_birthday", 
        "user_hometown", 
        "user_location", 
        "user_likes", 
        "user_photos", 
        "user_videos", 
        "user_friends", 
        "user_posts"
        ], 
        "user_id": "THE USER ID"
    }
}

Upvotes: 6

Andrew Magee

Reputation: 6684

If a user has passed you a Facebook UID that they claim is theirs and you want to check if it's legit, this is a Python function that will verify it against their access token (an implementation of Robin Jome's answer):

def verify_facebook_id(id, access_token):
    import requests
    import simplejson
    params = {'fields': 'id', 'access_token': access_token}
    text = requests.get("https://graph.facebook.com/me", params=params).text
    json = simplejson.loads(text)
    response_id = json["id"]
    return response_id == id

Upvotes: 2

Baptiste Costa

Reputation: 1044

private function facebookRequestMe($access_token)
{
    include_once "facebook.php";

    $facebook = new Facebook(array(
        "appId" => "your_application_id",
        "secret" => "your_application_secret"
    ));
    $facebook->setAccessToken($access_token);
    return $facebook->api("/me", "GET");
}

You can download the Facebook SDK for PHP from GitHub.

Upvotes: 2

jcm

Reputation: 1789

Along with an access token Facebook also sends an "expires_in" parameter, which is an offset value. Use that to compute for when the access token will expire as an NSDate. Then when you need to do a request compare the current date with the expiration date.

Also try to inspect the status codes and response strings Facebook sends back.

Upvotes: -1

Facebook access token server-side validation for iPhone app

Answers (8)

Related Questions