Facebook login architecture

Question

I'm developing an App which uses Facebook to authenticate. So far, what I have is the following:

Client->FB: authentication data (fb user & password),
FB->Client: FB id, FB token,...
Client->AppServer: FB data (id, token,..)
AppServer->Client: OK/Not OK, whatever necessary data.

Where:

Client: The App installed in the user's device (in this case, iOS),
FB: FB server (the client talks to it through FB's SDK),
AppServer: My App's server.

The point of all these is to validate if the user is real. The problem is that in #3 the Client could be sending a random FB id or FB token to the AppServer, so the question is: is there anyway to check in the AppServer whether this FB data is indeed real?

From my experience, in step 3, you should just be passing the fb token to your app server. The app server can then use the token to get the Id, email etc (as long as you have requested permission from the user to do so). You dont have to worry about the FB token being fake as when you validate it with facebook on the server side it will fail if facebook thinks its a fake. This is due to facebook binding the token to the fb app id, secret, domain/app name etc. If someone manages to fake this, then you have worse things to worry about. — TheDaveJay, Jan 04 '16 at 22:08
@TheDaveJay and how do I do that? Just as if the AppServer was a client to FB? (e.g., if the server is written in PHP using the FB SDK for PHP?) — Carlos Navarro Astiasarán, Jan 04 '16 at 22:16
Have a look at the documentation on facebook: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#confirm There is a section title: "Inspecting access tokens". You do a Get request to the API and if it has a success response, the token is not a fake. That will return a JSON payload with the user id etc in it. — TheDaveJay, Jan 04 '16 at 22:23
Have a look at this post: http://stackoverflow.com/questions/8605703/how-to-verify-facebook-access-token — TheDaveJay, Jan 04 '16 at 22:27
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#confirm — CBroe, Jan 05 '16 at 09:02

score 1 · Answer 1 · answered Jan 04 '16 at 23:17

This worked for me:

Given a FB_CLIENT_TOKEN and FB_CLIENT_ID coming from a client, and knowing your FB_APP_ID and FB_APP_SECRET, we want to validate in our server if the fb account from the client is real. Then:

From server, access https://graph.facebook.com/oauth/access_token?client_id=FB_APP_ID&client_secret=FB_APP_SECRET&grant_type=client_credentials
This will return a plaintext with access_token=APP_TOKEN.
Next, access https://graph.facebook.com/debug_token?input_token=FB_CLIENT_TOKEN&access_token=APP_TOKEN
This will return a JSON with a field named user_id, so the last step is to check if this field equals FB_CLIENT_ID.

Facebook login architecture

1 Answers1