Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Get application id from user access token (or verify the source application for a token)

Tags:

facebook

oauth-2.0

facebook-oauth

facebook-c#-sdk

I found this question, which has an answer, but facebook changed the token format since then, now it is something like:

AAACEdEose0cBACgUMGMCRi9qVbqO3u7mdATQzg[more funny letters]ig8b3uss9WrhGZBYjr20rnJu263BAZDZD

In short, you cannot infer anything from it. I also found the access token debugger, which shows the information I am looking for if you paste a token in, which is nice, but does not help me do it programmatically.

Point is, if someone gets a token for a user, he can use it to access the graph, which is what I do in my application - I want to be sure that people are forwarding the token that was issued to them by my application, and not another.

My application flow is:

  1. Get access token from facebook (nothing special, in the way it is described in here , Server-side Flow. (also iPhone and android and used, but they have similar flows if I recall correctly))
    [device] <-> [facebook]
  2. With that access token, the device will access my application server with the token
    [device] <-> [Jonathan's application]
    At my server I attach the access token to the user and use that to give permissions to that user in my application. (using the facebook connect to authenticate users)


My application is secured, and the access done is also authenticated regardless of facebook, BUT! in this flow, the a weak link I identified is that I cannot authenticate for sure that the access token I got was signed for my application - I do not like it because I cache the tokens for offline use, I want to be 100% sure they are for my application, with my permissions.

So what will be the (best) way to authenticate that the token I got is related to my application (for relation to user, I use the token to access /me and see which user this token is for)

I do not need to decrypt the token (i guess its some sort of AES), I am just looking for an endpoint that will tell me the token matched my application id.

(EDIT: Using the C# SDK, if it matters.. But a graph/rest call to give that info is just as good as well :) )

like image 677
Jonathan Levison Avatar asked Nov 15 '11 18:11

Jonathan Levison

People also ask

What is the difference between access token and ID token?

Access tokens are what the OAuth client uses to make requests to an API. The access token is meant to be read and validated by the API. An ID token contains information about what happened when a user authenticated, and is intended to be read by the OAuth client.

How do I verify my Facebook access token?

You can simply request https://graph.facebook.com/me?access_token=xxxxxxxxxxxxxxxxx if you get an error, the token is invalid. If you get a JSON object with an id property then it is valid. Unfortunately this will only tell you if your token is valid, not if it came from your app.

What is a Facebook access token?

An access token is an opaque string that identifies a user, app, or Page and can be used by the app to make graph API calls. When someone connects with an app using Facebook Login and approves the request for permissions, the app obtains an access token that provides temporary, secure access to Facebook APIs.

4 Answers

https://graph.facebook.com/app/?access_token=[user_access_token]

This will return the app this token was generated for, you can compare that against your app's id.

like image 127
Daaniel Avatar answered Sep 28 '22 17:09

Daaniel

The official graph endpoint for inspecting access tokens is:

GET graph.facebook.com/debug_token?       input_token=[user_access_token]&       access_token=[app_token_or_admin_token]

Example response:

{     "data": {         "app_id": 138483919580948,          "application": "Social Cafe",          "expires_at": 1352419328,          "is_valid": true,          "issued_at": 1347235328,          "metadata": {             "sso": "iphone-safari"         },          "scopes": [             "email",              "publish_actions"         ],          "user_id": 1207059     } }

app_token_or_admin_token can be obtained using the Graph API call:

GET graph.facebook.com/oauth/access_token?      client_id={app-id}     &client_secret={app-secret}     &grant_type=client_credentials

The debug_token endpoint will fail if that user_access_token doesn't belong to the app that generated the app_token_or_admin_token.

Relevant facebook documentation:

  • Inspecting access tokens: https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/#checktoken

  • App Tokens: https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens

like image 20
vially Avatar answered Sep 28 '22 19:09

vially

A documented way to ensure this is to use appsecret_proof.

GET graph.facebook.com/v2.5/me?access_token=[TOKEN]&appsecret_proof=[PROOF]

This verifies not only that it is a valid token, but also that the token belongs to the app. It also gets you user data in one go.

You can derive PROOF above in C# using this (from here):

public static string ComputeHmacSha256Hash(string valueToHash, string key)
{
    byte[] keyBytes = Encoding.ASCII.GetBytes(key); 
    byte[] valueBytes = Encoding.ASCII.GetBytes(valueToHash);
    byte[] tokenBytes = new HMACSHA256(keyBytes).ComputeHash(valueBytes);
    valueBytes = null;
    keyBytes = null; 

    StringBuilder token = new StringBuilder();
    foreach (byte b in tokenBytes)
    {
        token.AppendFormat("{0:x2}", b);
    }
    tokenBytes = null; 

    return token.ToString();
}

ComputeHmacSha256Hash(accessToken, appSecret);
like image 33
Nuno Cruces Avatar answered Sep 28 '22 17:09

Nuno Cruces

Why not to use official way of doing things? Here's the request from FB's own video about security.

Request: https://graph.facebook.com/debug_token?input_token={token-to-check}&access_token={app_id}|{app_secret}

Response: "data": { "app_id": {token-app-id}, "user_id": {token-user-id}, ... }

Link to an official video: https://www.facebook.com/FacebookforDevelopers/videos/10152795636318553/

I made a screenshot so that time is visible, and you can find more info if you are interested.

Facebook video screenshot

like image 29
Raimundas Sakalauskas Avatar answered Sep 28 '22 18:09

Raimundas Sakalauskas
Sign in to Comment

Related questions

Is it possible to generate a 'share on Facebook' link that opens the native Facebook App on Android/iOS/mobile instead of the web share dialog?
How to implement cursors for pagination in an api
How does Facebook add badge numbers on app icon in Android?
Facebook offline access step-by-step
Facebook debugger: why complaining about app_id missing
How do I check where my app is using IDFA
How to change facebook login button with my custom image
FBSDK Login Error Code: 308 in Objective-C
Open Graph validation for HTML5
Get username field in Facebook Graph API 2.0
Facebook like - showing cached version og:image, way to refresh or reindex it?
Given URL is not allowed by the Application configuration Facebook application error
Facebook Email field return null (even if the “email” permission is set and accepted)
How to recognize Facebook User-Agent
Turn omniauth facebook login into a popup
facebook Uncaught OAuthException: An active access token must be used to query information about the current user
Sharing URL to Facebook, Twitter and email in Android?
Facebook gives "Unsafe JavaScript attempt to access frame with URL" error in Chrome
Find Facebook SDK Version on iOS
Facebook Graph API GET request - Should contain "fields" parameter (Swift, Facebook SDK v4.5.1)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!