I am creating an Android app that uses Facebook SSO to login and I'm not sure how to authenticate with my own webservices after I login to FB. When a user first opens my app they login to Facebook, authorize my application some privileges, and continue into my app. This part works great, but now to use my app they need to create an account on my server and talk to my webservices.
Right now I have a call to an authenticate webservice on my server that adds their Facebook ID and other basic info into a database and at the same time does a Diffie–Hellman key exchange so any future calls to webservices can be encrypted by a shared key. But the problem is that very first initial call to create this account and create this shared key, how do I authenticate that? How do I know this person is really the one who just authenticated with Facebook and not just someone who found the URL for my webservice and is creating accounts and saving the keys?
To reauthorize your Facebook Page, go to Admin > Channels > Facebook and click on the Reauthorize button. It will take you to the Facebook login page, where you will have to enter the Admin credentials of the page that you are trying to reauthorize.
In the App Dashboard, choose your app and scroll to Add a Product Click Set Up in the Facebook Login card. Select Settings in the left side navigation panel and under Client OAuth Settings, enter your redirect URL in the Valid OAuth Redirect URIs field for successful authorization.
To get the Client Access Token for an app, do the following: Sign into your developer account. On the Apps page, select an app to open the dashboard for that app. On the Dashboard, navigate to Settings > Advanced > Security > Client token.
The service checks to see who you are on Facebook and creates a new account for you. When you sign into that service in the future, it sees that you're sign in with the same Facebook account and gives you access to your account. You don't need to set up a new account or anything—Facebook authenticates you instead.
Facebook SSO returns an access token. If you'd like, you can pass that along to your server and your server can make a call to the Facebook APIs to check that it's a valid access token for that user (eg by calling https://graph.facebook.com/me?access_token=ACCESS_TOKEN) -- if it is, you're good and have verified that the user is who they say they are (or is a hacker with enough access to have a valid auth token for your app for Facebook, at which point their identity has been compromised on Facebook's end).
I think you have to pass a password along with your basic info upon profile creation. All in all, the Facebook SSO only gives your client application the right to access the profile user, but it does not garantee your web services that the caller is the actual owner of this FB account. I am afraid that subsequent calls from the Android client to the web service needs to be authenticated via a normal user/name password ( different from the FB account ) if you want to be sure that the caller is the one who retrieved the key the first time ( no matter what Facebook profile he might be linked to ).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With