Authenticate user logged in with FB at my server using the Android Account Manager

Question

I have a question about authentication using the Android Account Manager. We have a backend and an Android app and the user should log into our backend using his Facebook account. Currently we show a webview for this purpose which does normal oAuth 2 but using the Android Account Manager is more secure and much easier for the user so we want to switch. My question is, how can the server validate if the user is really who he pretends to be. Since we cant trust the App we have to talk to fb from the server side to validate if the user really is who he pretends to be. Based on a quite similar idea I made the following diagram to ask you if this is the correct way to do it or if I missed something:

The flow would look like this:

1. User wants to log in with his facebook account
2. The Android Account Manager is shown where he picks the facebook account
3. The user grants access that "My app" is allowed to access his fb data
4. The Android Account Manager gets an auth token from the Facebook server
5. The "My App" now has the auth token and can access the fb data of the user
6. The "My App" passes the tokten to "My Server"
7. The "My Server" now checks if token valid by getting the user data from the fb server
8. If the token was valid the "My Server" gives back a normal temporary valid cookie for the current session with "My App". The user is now logged in at My Server with his fb account.

So is this the correct way? Is step 6 a good idea to pass the token once to "my server" or is there a better way? Btw Facebook is just an example here, we use different auth providers like FB, Google and Twitter but the flow should be the same for each one.

Answer 1

I don't know if this the correct way or not. But i'd like to share how we tackled this problem in our case which was pretty much same as your solution. We were using Google and Facebook auth providers.

Our android app sends token to the server and then server validate the token depending on the provider if it is validated then user is good to go if it isn't we show the appropriate message. Also we used to check the validation of token every time when user open the app at server end if token is still valid user can use app if it is not we just bring user back to log in screen so user can validate himself again because token get expired after some time.