Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is using the Facebook access token a secure way to validate a user?

Tags:

facebook

facebook-graph-api

On my app the user can sign to Facebook and the app then has the user's access token (say it's 'abc'), I want to use this token to create a user on my own server.

Is it safe to send this access token to my server (using SSL), then get the user's username and ID using https://graph.facebook.com/me?access_token=abc on my server and check that the application the token belongs to is mine with https://graph.facebook.com/app?access_token=abc. If it is my application I then store the user in my user's database and/or log them in.

Can this system be fooled? Can you think of a way someone could log in as someone else?

like image 253
Timm Avatar asked Oct 27 '25 07:10

Timm

2 Answers

You should check out all of the Authentication documentation and the Oauth spec to see the different auth flows available

Broadly speaking, you can create a user on your server based on the access token, and be reasonably certain that when you get an access token from Facebook for the same user ID that it's the same person.

If you require very high security for the app you can take steps to ensure the user's access token wasn't produced via malware or the Facebook user being tricked, there's an example showing protection against CSRF in the Server Side Authentication documentation, and there's also a reauthentication flow you can use

like image 134
Igy Avatar answered Oct 29 '25 08:10

Igy

I assume that you are using facebook sdk for this, if so the facebook sdk takes care of the security for you and you don't have to worry about a thing.Supposing that you are accessing the api without the sdk then there are two things that must be noted:

1) Auth token expires frequently(facebook has taken great pains to ensure that the user is protected)

2)Making a request with just auth token is not enough there are some other parameters that are needed that can't be faked especially if you are doing this server side since an extra layer is added that fb calls server flow authentication

3)On top of that there are a lot of permissions that are in place that the user has to give in order for an application to access some data.The link below provides a nice article on authentication you can take a look

https://developers.facebook.com/docs/authentication/

So long story short it is safe.

like image 38
Akshat Jiwan Sharma Avatar answered Oct 29 '25 09:10

Akshat Jiwan Sharma
Sign in to Comment

Related questions

FB.getLoginStatus is returning status 'unknown' even when the user is logged in
Rails 5 API only with Devise, OmniAuth, Devise Token Auth callback issue while Facebook sign in
Error Message: NoSuchElementException: Message: no such element: Unable to locate element: {"method":"css selector","selector":"._5qtp"}
Semantic Issue with Facebook FBSDK Corekit
Updating FB SDK to latest version not working

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!