Reputation: 71
Facebook auth token exchange
Is it possible to authenticate the user on server side using auth token retrieved by Android applicaton from Facebook? In other words Android application uses SSO and obtain auth token. Then sends this token to backend application deployed on Google App Engine. Then backend application verifies the user against Facebook using the token.
I guess it's not feasible because retrieved token can be used only by Android application, but who knows? Maybe it may be reused somehow?
Upvotes: 7
Views: 1871
Answers (4)
Reputation: 385
The Token you get from Android API can be sent to your server, who can check the validity of the token by querying the graph ( using /me?auth_token=.... for example). The problem is that the same token can be used by any third party - it's not client specific - and so if you base server identification based on that, you have a problem (since a third app could use its user token and get authenticated by you). I am trying to find a way to solve this issue, but I don't have good ideas yet...
Upvotes: 2
Reputation: 15366
When using facebook android sdk with SingleSignOn (SSO), the access token format actually changed. Instead of getting traditional auth token which contains userid & session key as a part of authToken now we get a different format of authToken
As Facebook Devs are still in process to support there rest apis with newly formated access token meanwhile we can disable the SSO on android facebook sdk by changing DEFAULT_AUTH_ACTIVITY_CODE to -1 from 32665 (in Facebook.java) This will invoke Traditional dialouge for granting acess token and in return you'll get access token which will contain session key in it.
Those who are looking for generating secure session key you need to add your own method in Facebook.java like
public String getSessionSecret(String accessToken) throws MalformedURLException, IOException { Bundle b = new Bundle(); b.putString("method", "auth.promoteSession"); b.putString("access_token", accessToken); b.putString("session_key_only", "true"); String response = request(b); return response; }
Upvotes: 0
Reputation: 12527
Yes you can. A valid access token is a valid access token. The Graph API does from where the token came, but only that the token has the appropriate permissions to access that portion of the graph api. Keep in mind, though, that the token is only valid for 24 hours from the time of its issuance. (is that really a word?) From the time it is issued?
Upvotes: 0
Reputation: 22371
Facebook actually has an Android SDK that lets you do this. Information can be found here.
Upvotes: 0
Related Questions
- Facebook + GAE + Android authentication
- Facebook page access token with Android SDK
- how do I actually use app access token with facebook api?
- Facebook Client Token
- Facebook authorization access token?
- Passing Access Token facebook 3 for Android
- Android Facebook app integration with GAE
- Facebook Login via App Engine
- Facebook login using access token
- GAE and Facebook auth