Integrating facebook login in a desktop client-server application

Question

Situation

I have a desktop client application 'C' and a server application 'S', both written in C++, residing on different machines. They currently communicate via TCP. Sensitive user-specific data is stored on 'S'.

The current login flow is the following: the user enters their credentials in 'C', they are sent encrypted to 'S', 'S' compares them with the credentials it has in a special database 'D' for this user. If the credentials are valid, S gives the client the user-specific data. Otherwise, connection is refused. The registration of new users is via a centralized web server' that sends the credentials to 'S' and they are put in 'D'.

Problem

I want users of the client to be able to login via Facebook via a 'Login with Facebook' button on the current login screen (currently I have User and Pass only). I need only the login, no other integration. I will use the FacebookID number of the user as ID in the database D.

Solution

I read through the Facebook documentation and what they recommend is to embed a web browser in the client, open the special auth dialog passing your app ID and then listen to the URI change to get the access token from it (this is described at the end of the above documentation). This is exactly what I am planning to do. I already have a web browser embedded in the client. It will open the auth dialog there, listen to the URI change in the C++ code and get the access token from the URI. Then the client will send the access token to the server 'S'. 'S' will make a HTTP request to Facebook, passing the access token, and Facebook will respond with the personal data of the user. 'S' reads the FacebookID of the user and puts it in the user database 'D' if it's not already there. If it is already there, the client is given the sensitive user-specific data.

Alternative solutions

1. Use the local browser of the user's machine for opening the Facebook dialog instead of the embedded one (the user will feel more secure this way). Facebook will redirect the user's browser to the server 'S' passing the access token directly to it. In this case I have to make 'S' HTTP listener (put a C++ web server on it). The problem here is that Facebook allows the redirection to be only to predefined domains (enumerated in advance) and each time I want to test with a different server 'S' (quite often), I will have to enter it in the Facebook App control panel.
2. Use the current the current web server I mentioned in the beginning. I will redirect the user's local browser to that web server which will trigger server-side PHP logic for taking the user to the auth dialog, getting the access token and giving it to S which will get the FacebookID from it.

In Solutions 1 and 2 the client will also have to pass a ClientID so the Server can identify it when it tries to connect.

My question

Do you think my solution is good and secure enough compared to the other solutions? Is it secure to pass the access token from the client to the server? Do you see other potential issues with my solution?

Thanks in advance

Answer 1

To me, it looks like a good approach as long as you are using https (which you do state that you will) to communicate from C to S.

I would suggest making different applications for each of the S servers you would deal with. For instance, when I develop an app, I have three Facebook apps. One for my local box. One for the test environment and one for production. So then store the app ID in an environment dependent config file.

Also, instead of using the current username field for the Facebook user ID, create a new one. That way existing people can still log in with their current credentials and the ones who adopt the Facebook login easily do so. This also gives you a quick way to determine which type of credentials each user has setup, making for easier checking of their credentials.