Reputation: 5248
Facebook - Security of Auth Token?
How important is it to keep the oauth_token safe from prying eyes? For instance, should I avoid passing it around in javascript and keep it solely in php-land or is it fairly harmless to use it as is convenient? I'm trying to figure what nefarious things a user could do with it but beyond manually replying to their requests and looking up their own information it seems like it would be fairly harmless.
Upvotes: 0
Views: 446
Answers (1)
Reputation: 99911
The oauth_token gives access to the account the token is bound to [1]. So it must be kept secret from anyone other that the owner of the account (and can be disclosed to him).
[1] Facebook uses OAuth2, and the access_token alone allows to use the API, without OAuth consumer key / secret.
Upvotes: 2
Related Questions
- Facebook Connect - Authentication and Security
- Vulnerability with Facebook token hijacking
- Is it safe to log facebook oauth access tokens?
- Doubts about Security in Login for Web with Facebook Oauth JavaScript SDK that send ACCESS TOKEN to server
- Facebook User Access Token Security
- Using facebook api login securely
- Saved token security risk. Is token/refresh token safe?
- Facebook access token validity
- Facebook oAuth authentication
- Facebook OAuth for authentication?