Facebook authentication to my server using Android

Question

I'm building an application with the following blocks:

Android - Client Side, Java Servlets - Sever Side, Facebook app - used in order to authenicate users and work with their data.

My Problem is the following: I would like to authenticate my users via facebook (such as a request sent from the android client using facebook-android-sdk to facebook) but then I would like to send requests to my server (which is implemented by servlets) and to validate somehow that the user sending the request is authenticated to facebook and my application.

So these are the steps:

user X is authenicated to facebook and my facebook app using facebook-android-sdk. X is sending a request to my server

As for the server, I would only like to know it's a proper user which is working with me, I don't need the server to perform any Graph API requests.

How can I know that X is valid in my server? The authentication was performed on client side in that case.

Answer 1

So you have: Facebook - Android Application - Your web server. And your web server needs to know that you are the Facebook user you are presenting. The problem is that you can not trust the Android client for any data it gives to you.

I solved the problem like this:

1. Authenticate user to Facebook from Android application,
2. Get the FB auth token to the android app,
3. Forward the authentication token & facebook UID from Android to web server,
4. Verify the token (using app_id & user_id) by using Facebook Graph debug endpoint as described here (https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken) to be sure that the token is for correct application
5. On web server, make Facebook API call with the submitted token.

If the debug endpoint API call from your web server returns valid information (app id & user id), your server can trust the id (& you can be sure that the Android authentication is real)

Answer 2

The better answer to this question (incorporating info from tomas.tunkl's comment) is as follows:

1. Authenticate from Android Application
2. Get the FB Auth token from the authentication in app
3. Forward the token and fb UID to web server
4. Call the debugging endpoint as described here (https://developers.facebook.com/docs/facebook-login/access-tokens/debugging-and-error-handling) -- this will give you the app id of the app which generated the token. MAKE SURE that the app id is YOUR APP ID (meaning it is a token from your mobile app), otherwise someone is hijacking your application using a token from another application and you are leaking user data (as thomas tunkl pointed at with url https://developers.facebook.com/docs/facebook-login/security/#tokenhijacking). That is BAD. Also check the is_valid/expires_at to make sure that it is still a valid token from your app.

(Since I linked the documentation, I'm also going to put a bit of info from that debugging-and-error-handling link in here to show how to make the call and what you get back:)

When working with an access token, you may need to check what information is associated with it, such as its user or expiry. To get this information you can use our debug tool, or you can use the API endpoint.

To use the API, you can issue a Graph API request:

GET /debug_token? input_token={input-token}& access_token={access-token}

input_token: the access token you want to get information about

access_token: your app access token or a valid user access token from a developer of the app The response of the API call is a JSON array containing a map of fields. For example:

{ "data": { "app_id": 000000000000000, "application": "Social Cafe", "expires_at": 1352419328, "is_valid": true, "issued_at": 1347235328, "scopes": [ "email", "publish_actions" ], "user_id": 1207059 } }

Note that the issued_at field is not returned for short-lived access tokens.

This will ensure that you have a valid token for a facebook user that has been generated from your own secret key for a user; meaning that they have authenticated properly.