We're using the Facebook JS SDK to authenticate users to our application, then sending that information to the server back end to log our user into the application (we support multiple forms of authentication but we can only support FB using a client side flow).
FB is able to log in correctly, I'm able to authenticate the user and everything else, but there's one wrinkle that I'm not sure how to handle, and I'm having difficulty finding anything in the documentation about it. Facebook sends back an accessToken in addition to an id. My question is, how do I verify on the server side that the accessToken is correct for the given id? I want to make sure that the data the user sends us matches what Facebook sent them, and I can't imagine this is that out of the ordinary, yet I can't seem to find any documentation on it.
In the response from Facebook should be a signed_request string that can authenticate that the data is genuine with and decoded to yield the user id and an oauth token for the user.
Passing this along with the other response to your server-side code should allow you to validate everything pretty easily.
May I suggest this answer from another question! It uses try-catch. It is probably the only way to verify that the authentication and the permissions are valid! That's how they do in their examples
Facebook OAuthException: (#1)
I dont think facebook provides any other way of checking
I have successfully installed the Facebook registration plugin on my website, but I'm left with some unanswered question.
After a user is authenticated through Facebook, should I just be storing the UID from Facebook in my database to correlate records in my application with the Facebook user?
If I understand correctly, Facebook should send back an "Access Token" what exactly should be done with this? Should each required page in an application be checking this access token some how to verify the user is authenticated instead of calling something like FB.getSession each time you want to validate the user is still logged in?
If a user registers through the Facebook registration without a Facebook Account, and returns is it completely up to me to handle the authentication and storage of the username and password or dose Facebook still interject here?
Where and What is the App Secret used for?
Facebook is said to return a "Signed Request". Is this separate from the data that is returned? Dose each request back from Facebook need to have the Signed request verified?
I have more questions coming, but I'll start with these for now.
Yes.
The oauth_token can be used to make a request to the API once they give permission to your app.
I haven't used this tool to save passwords but the registration flow can be found here
The signed_request parameter is signed using your application secret which is only known by you and Facebook to make sure that the data you're receiving is the actual data sent by Facebook.
The data Facebook returns is the signed_request and it is an encoded JSON string. You can't decode it without your app secret. You verify return data by decoding the signed_request.
I hope my question doesnt sound stupid, But i really want to know this..
Is signed_request an alternative to access_code?
If so, How do i receive the signed_request for desktop clients?
I mean flow that i follow in my desktop client is:
Call https://www.facebook.com/dialog/oauth?client_id=xxxx&redirect_uri=https://www.facebook.com/connect/login_success.html&response_type=token&scope=publish_stream
Take the access_token returned from (1) and fetch user information.
So will 1. and 2. be merged in a single request call to signed_request which says it will give the JSON object of user information in it.
How to make this call to get signed_request for desktop clients?
Two problems with your theory here:
In order to get a valid access_token within the signed_request, you'll still need to authenticate and request permission from a user, so in that case it's probably simpler to use the authentication flow fully rather than trying to parse the signed_request.
As stated in the Signed Request docs you will not receive any signed_request if you are building a desktop/device app.
Is it possible to decrypt Facebook's new OAuth 2.0 access_token ?
I need to somehow get user_id and app_id from the access_token.
PS:
I need to get the user_id and app_id ONLY from the access_token as Facebook Linter used to do.
As others have already pointed out, the access_token is a unique random string, so it cannot be decrypted as such. Also, we all know that the user_id and app_id are prerequesites to generate the token in the first place.
However, let's assume you stored your token(s) in a database and lost the associated user_id and app_id. In that case, it is a valid question on how to retrieve them having only the token at hand. If your token is still valid, this is possible. If it is expired, you're out of luck.
To retrieve the user_id, make a call to:
https://graph.facebook.com/me?fields=id&access_token=xxx
To retrieve the app_id, make a call to:
https://graph.facebook.com/app?fields=id&access_token=xxx
In both cases, the associated id's will be part of the JSON response, regardless of the access_token being an encrypted or unencrypted one.
Let's illustrate this with an example. Let's assume Mark Zuckerberg uses the Graph API Explorer to generate an access_token. Calling the /me endpoint gives you:
{
"id": "68310606562"
}
and calling the /app endpoint gives you:
{
"id": "145634995501895"
}
The ids you were looking for are part of the response.
Please note that this does not work with the access_token shown on https://developers.facebook.com/apps (not sure if this is a Facebook mistake or intentional). Please use the access_token that your app receives via OAuth.
If the access token is in the encrypted format, there's no programmatic way to determine the User ID and App ID.
I struggle to think of a legitimate way you could have come across an access token without already having those two pieces of information since presumably you know your own App ID and the User ID you stored the access token against.
Nevertheless, assuming there's a legitimate use-case for this:
a call to /me?fields=id will return the user ID and/or you can use the debug tool at https://developers.facebook.com/tools/debug to debug the other properties of the access token
Generally you use the access_token to access other data from your application. So for example, your application would authenticate the user then use the access token to access other functions in FB's API, such as the graph:
https://graph.facebook.com/me?access_token=<access_token>
There is no public way of decrypting an access token to get the user id and app id. This is also very likely a massive breach of Facebook policy.
To get an access token in the first place you have to have access to the user and the app id anyway so you shouldn't need to do this. If you don't actually have access to the user or the app id then my guess would be you probably shouldn't even have their access token and have probably obtained it 'illegally'...
This is actually a very simple task, if you look closely at the access token itself. It consists of 3 segments, separated by a pipe character, |:
APP_ID|SOME_STUFF.NUMBER-USERID|SOME_MORE_STUFF
I'm not sure what SOME_STUFF, NUMBER, and SOME_MORE_STUFF are; presumably timestamps, signatures, or other encoded data that facebook uses to keep track of the access_token's validity and so on.
Unless you've obtained the acces_token in question by fowl means, I don't see a problem with being able to access the APP_ID and USER_ID from them (and neither does Facebook, apparently). So all I'll say on that is be responsible :)
The other thing to keep in mind is that this isn't a standard or anything, and is subject to change. So, watch out for that, too.
you don't have to decrypt accesstoken
As far as AppID is concerned,you should get it from facebook whn you make an app there,its your id to connect to facebook.
facebook sends the userId along with accesstoken..
just check your cookies in browser or in oauth case check entire string returned when request for acess token.
Are you sure you're talking about the Access Token here and not the signed request?
When you're Facebook Application is loaded you have a signed request object, which has the information I believe you are looking for (however if the user has not authorized your application their user ID will not be in the signed request, Facebook security)
The only way currently available is to use to Facebook Access Token Lint Tool.
You can consider to automate the process.
In old API the init function required path to xdreceiver and now i see it disapeared from docs.
I thought the xdreceiver is for seting cookies in your domain from facebook, but how it's working now?
Assuming your talking about an external or iframe Facebook application then Facebook uses the OAuth2.0 system and stores a cookie on your server of the form fbs_APPID where APPID is obviously the application id of your connect/canvas application.
Inside this cookie there is an access_token which is used to by both the old rest API and the new graph API to make requests on behalf of the user. This means the xdreceiver file is no longer required.
See the Facebook Developers article on authentication in OAuth2.0 here
Canvas applications can also take advantage of a new experimental signed request in order to receive the access_token.
That file is not required anymore. My understanding is that they store cookies on their side in database somewhere and then emulate cookie headers when sending HTTP requests to your app, so to your application it seems like regular cookies from a browser.
You can read briefly about cookies here, couldn't find anything better.
EDIT
Seeing BeRecursive's answer, I want to clarify that I was talking about cookies that you manually set from your canvas app. Maybe it's not what you asked about.