I need to verify that users on my iPhone app are actually logged in to my Facebook app. I'm able to verify their user id by retrieving it with their Access token: <blockquote> https://graph.facebook.com/me?fields=id&access_token=XXXXXXXXXXXXXXX </blockquote> The security issue I foresee is that, they can send me any valid access token, and it will return their user id. I need to also validate this token is for my specific app. Is there a way to return the Application ID in this request to validate that?

Facebook now provides support for debugging an Access Token. You can retrieve the information related to a particular Access Token by issuing a GET request to the <code>debug_token</code> connection. Something like: <pre class="prettyprint"><code>GET /debug_token? input_token={input-token}& access_token={access-token} </code></pre> Where, input-token: the access token you want to get information about and access-token: your app access token or a valid user access token from a developer of the app And this will return the following information: <pre class="prettyprint"><code>{ "data": { "app_id": 000000000000000, "application": "Social Cafe", "expires_at": 1352419328, "is_valid": true, "issued_at": 1347235328, "scopes": [ "email", "publish_actions" ], "user_id": 1207059 } } </code></pre> You can get more information about it in the Getting Info about Tokens and Debugging reference.

Verify Facebook Access Token for specific App

Tags:

authentication

facebook

api

I need to verify that users on my iPhone app are actually logged in to my Facebook app. I'm able to verify their user id by retrieving it with their Access token:

https://graph.facebook.com/me?fields=id&access_token=XXXXXXXXXXXXXXX

The security issue I foresee is that, they can send me any valid access token, and it will return their user id. I need to also validate this token is for my specific app. Is there a way to return the Application ID in this request to validate that?

476

asked Jan 27 '13 02:01

Eric Di Bari

1 Answers

Facebook now provides support for debugging an Access Token. You can retrieve the information related to a particular Access Token by issuing a GET request to the debug_token connection. Something like:

GET /debug_token?
     input_token={input-token}&
     access_token={access-token}

Where, input-token: the access token you want to get information about and access-token: your app access token or a valid user access token from a developer of the app

And this will return the following information:

{
        "data": {
            "app_id": 000000000000000, 
            "application": "Social Cafe", 
            "expires_at": 1352419328, 
            "is_valid": true, 
            "issued_at": 1347235328, 
            "scopes": [
                "email", 
                "publish_actions"
            ], 
            "user_id": 1207059
        }
    }

You can get more information about it in the Getting Info about Tokens and Debugging reference.

143

answered Nov 15 '22 18:11

Rahil Arora

Related questions
                            
                                Why is my Github-hosted site responding with HTTP 302 instead of 200?
                            
                                FB.getLoginStatus() called before calling FB.init()
                            
                                Official Facebook examples crashes (GraphApiSample)
                            
                                Transfer app from one Facebook developer account to another Facebook developer account
                            
                                How do you renew an expired Facebook access token?
                            
                                How do Facebook, Google and other large applications do their CSS and JavaScript files?
                            
                                Given URL is not allowed by the Application configuration
                            
                                How to get test coverage from Jest while testing React.js App?
                            
                                Trying to setup facebook login : you must have a valid contact email specified to make this app available to all users
                            
                                Can't use Facebook Account Kit: Error inflating class com.facebook.accountkit.ui.ConstrainedLinearLayout
                            
                                How do I can post a multiple photos via Facebook API
                            
                                With 'picture' in Facebook's Feed Dialog deprecated how can I post an image link?
                            
                                Hiding a toolbar element when UITableView scrolls (similar to Facebook's app?)
                            
                                How to get user name and email id for Facebook SDK?
                            
                                Facebook iframe not working in IE; session/login issue?
                            
                                facebook like button larger size
                            
                                Facebook SDK - FBSession: No AppID provided
                            
                                Associate a new Google or Facebook login with an existing account
                            
                                Post to a Facebook user's wall with cURL PHP
                            
                                Invalid redirect_uri: Given URL is not allowed by the Application configuration

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With