Me and my team are working on a native mobile social network for Android that allows users to login using Facebook. Ive managed to implement the Facebook SDK for Android, but im struggling to figure out how to properly/securely authenticate a user who logs in using facebook with the credentials received from Facebook alone. Currently here is how my system goes:
Step 1.From the Android client the user presses login with Facebook and grants permissions to my app.
Step 2. Upon the user granting our permissions Facebook sends us a response that includes the users fb user id, email and a token ( among other info if this is the first time the user has logged in using facebook)
Step 3. Info is sent up to our API for authentication
and this is where im a bit unclear....How can I validate the facebook credentials on my server?
As of now im just checking my db for a existing user with the fb_uid and fb_email received, but anyone can get anyones fb_uid and it not that much harder to find the email they used to sign up for facebook which means someone hypothetically could easily hack into another users account with a faked http request.
The access_token, if valid, will allow you to access some of the user Facebook data that your app has requested permission to access. One way to validate that the credentials you are receiving are correct is to use that access_token to query Facebook.
For example, this page suggests how to open up the access_token properties using a GET call:
GET graph.facebook.com/debug_token?
input_token={token-to-inspect}
&access_token={app-token-or-admin-token}
Which then returns:
{
"data": {
"app_id": 138483919580948,
"application": "Social Cafe",
"expires_at": 1352419328,
"is_valid": true,
"issued_at": 1347235328,
"metadata": {
"sso": "iphone-safari"
},
"scopes": [
"email",
"publish_actions"
],
"user_id": 1207059
}
}