Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Shared Facebook Access Token between Website and Mobile Application

I would like a Web site (Rails 3.1 with Devise and Omniauth) and a mobile application (iOS5) to share authentication. By this I mean I would like a user to be able to SSI to the site with Facebook, or SSI to the mobile application and have the mobile application talk to the website's API using the user's credentials to authenticate to the website.

I currently have the web side working nicely with a User being able to SSI to an account. I also have the mobile application working, supporting user SSI. Both are using the same Facebook application.

My problem is finding something shared between the two that I can use for the Mobile application to authenticate against the site. Obviously both have access to the same user ID, but this doesn't seem very secure. My mobile application has an Access Token, but this differs from the website's access token, though they look similar, and my mobile access token expires while my web access token does not.

Web/Rails Token (Not real):

DDDAKnu1dg40BDHEWN0VDssxs8GGF8ZBEEOb38HnS0IUEQC1NSufmPCcGeFkTuw39ZDl7OhlZBD2jwJEqXdAZCtZBflJRQKZB4ZA

Mobile/iOS Token (Not real)

BDDAKnu1dg40BDEo3YjZD2hIwjfZB4slXJj3fmHfzLh5q1xZD0ShfJCb6PMjnApkpM0FTuGGvWnzZBQy4GZCMuysEEqhMz8YgruD53TXKTZC0GPFkfVe0b6fe8wieLLOZDDZA

Using Facebook's access token debugger I get the following (Everything removed is identical between tokens):

For Web/Rails Token:

App ID: 
XXXXXXXXXXXXXXXX : SomeAppName
User ID:    
XXXXXXXX : My Name
Issued: 
1327507734 : 8:08 am Jan 25 2012
Expires:    
Never
Valid:  True
Origin: Web
Scopes: email offline_access

For Mobile/iOS:

App ID: 
XXXXXXXXXXXXXXXX : SomeAppName
Metadata:   {"sso":"iphone-safari"}
User ID:    
XXXXXXXX : My Name
Issued: 
1327507734 : 8:08 am Jan 25 2012
Expires:    
Never
Valid:  True
Origin: Native Mobile
Scopes: email offline_access
like image 473
Undistraction Avatar asked Mar 01 '12 09:03

Undistraction


People also ask

Can access token be shared?

Access tokens must be kept secret. If Client B obtains an access token issued to Client A, Client B can behave as if it were Client A.

How can I get Facebook OAuth?

In the App Dashboard, choose your app and scroll to Add a Product Click Set Up in the Facebook Login card. Select Settings in the left side navigation panel and under Client OAuth Settings, enter your redirect URL in the Valid OAuth Redirect URIs field for successful authorization.


1 Answers

Just for the record, the way I have ended up handling this is to pass the mobile token to the server and have the server check the token's authenticity. Once this is confirmed I can check authenticate against my records using uid and email.

like image 99
Undistraction Avatar answered Sep 25 '22 19:09

Undistraction