ChatGPT解决这个技术问题 Extra ChatGPT

Facebook access token server-side validation for iPhone app

I'm developing iPhone application, that is based on communication with server, and I want to use Facebook authentication mechanisms.

Basically, I think it should work like this:

In my iPhone app, user logs in to Facebook, using his email and password. User allows access to his data for related Facebook application. My iPhone app receives access token, after successful log in. In further communication with my server, my iPhone application should use the received Facebook access token (for example: in queries). When my server receives some query from iPhone app, with access token, it should ask Facebook that this token is valid (and for who), and if yes, server should assume that user is authenticated with Facebook.

My question is: how the server should ask Facebook if given access token is valid? I think I should somehow check if the token is valid for my Facebook app.

I've tried many Facebook queries to graph API, that I've found, but nothing worked as I expected. Can you provide me some example?

Unless the user has logged out of the app in FB, you can just send the auth token across to the server (ssl hopefuly). Does a simple query of "/me" via the graph api succeed or fail?
you will get message in response from facebook that your token is not valid :)
I'm trying to do something very similar to what you're doing. You never marked this question as answered, did you ever get this working?
What happens when the access_token expires ? should we ask user to login again ? i want to understand how to re validate again after token is expired
@debianmaster it depends on your app architecture. If you consider the case "no FB token - no access to the app", than yes, log out the user. Otherwise, you might consider an "unlink" logic, where user stays logged in, but the info, received from Facebook is detached from his account on the server/client.

r
rogerdpack

Here's a two step process you can use to validate that a user access token belongs to your App:

1) Generate an App Access token

(https://developers.facebook.com/docs/howtos/login/login-as-app/) 

https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID
&client_secret=YOUR_APP_SECRET
&grant_type=client_credentials

2) Debug the User Access token

(https://developers.facebook.com/docs/howtos/login/debugging-access-tokens/) 

https://graph.facebook.com/debug_token?
input_token=INPUT_TOKEN
&access_token=ACCESS_TOKEN

Where INPUT_TOKEN is the user access token you want to verify, and ACCESS_TOKEN is your app's token that you got from step 1.

The debug endpoint basically dumps all information about a token, so it'll respond with something like this: 

{
    data: {
        app_id: YOUR_APP_ID,
        is_valid: true,
        metadata: {
            sso: "iphone-safari"
        },
        application: YOUR_APP_NAMESPACE,
        user_id: USER_ID,
        issued_at: 1366236791,
        expires_at: 1371420791,
        scopes: [ ]
    }
}

If that token isn't from "your app" then it will return an error response.

According to Facebook, this is the correct way to inspect tokens. However, the first part is optional since you may use your app id and secret instead of an admin or app token.
@BrandonZacharie Don't see how you do this, I just tried with app id and secret and gave me error for "input_token parameter required"
@JohnnyZ the input token is required. The access token is where the flexibility is.
@BrandonZacharie You are right, I was getting input and access tokens confused. To use app id and secret I passed in this as a parameter with pipe as a delimiter:&access_token=APP_ID|APP_SECRET
The link above is now developers.facebook.com/docs/facebook-login/access-tokens/…
D
David Ortiz

Update: this answer seems insecure since it doesn't validate the token first as belonging to your app, see the comments, original answer as follows:

I assume that you already have the access token in hand. In such a case the simplest way to validate an access token is to issue the following request 

https://graph.facebook.com/me?fields=id&access_token=@accesstoken

Here replace @accesstoken with the access token you have. I will breakdown the url and will explain each.

We are issuing a graph api request here which will return the Facebook User Id of the owner of the access token as a JSON string. The keyword 'me' represents the currently logged in user or the owner of the access token. For this request access token is a mandatory parameter.

If the provided access token is not valid or expired Facebook will just return an error message of some sort.

For a valid access token the result will somehow look like this 

{
   "id": "ID_VALUE"
}
Wouldn't that request succeed if that user provided an access_token which belongs to a different app?
Any valid user access token can be used (no matter which app it belongs to)
@Xiquid this post is not the solution to the problem since it does not validate if the access token belongs to your application.
I don't understand why this answer has the most votes! It's OBVIOUSLY not the right solution. Actually, the correct approach is what "sebastian the crab" suggested. The debug_token endpoint is used to query information about the token itself and this way you can verify that the token belongs to a specific user ID for a specific app ID!
Yeah, this answer is not correct. If you verify the access token this way, someone can get an access token from a different application and use it to authenticate with yours.
C
Community

Another solution would be to use https://graph.facebook.com/app/?access_token=[user_access_token] as described by Get application id from user access token (or verify the source application for a token).

This appears to be an undocumented feature, but returns JSON containing the id of the app the token was generated for. If the token wasn't for your app, it returns a 400.

How can I get the ratings of other Facebook business. What I need to do for this?
F
Flimzy

In the latest version of facebook (2.2) you can do it this way:

https://developers.facebook.com/docs/graph-api/reference/v2.2/debug_token

Sample output: 

{
    "data": {
        "app_id": "THE APP ID", 
        "application": "APP NAME", 
        "expires_at": 1427245200, 
        "is_valid": true, 
        "scopes": [
        "public_profile", 
        "basic_info", 
        "read_stream", 
        "email", 
        "publish_actions", 
        "read_friendlists", 
        "user_birthday", 
        "user_hometown", 
        "user_location", 
        "user_likes", 
        "user_photos", 
        "user_videos", 
        "user_friends", 
        "user_posts"
        ], 
        "user_id": "THE USER ID"
    }
}
Does this mean that you'll have to call this fb endpoint on each request? Isn't there a beter way?
This works but it requires the access token. Access token can be generated using 'sebastian the crab' answer or we can simply use appid|appsecret. Fore more Info developers.facebook.com/docs/facebook-login/…
Here's an example use of this: stackoverflow.com/a/16947027/32453
B
Baptiste Costa 
private function facebookRequestMe($access_token)
{
    include_once "facebook.php";

    $facebook = new Facebook(array(
        "appId" => "your_application_id",
        "secret" => "your_application_secret"
    ));
    $facebook->setAccessToken($access_token);
    return $facebook->api("/me", "GET");
}

You can download the Facebook SDK for PHP from GitHub.

A
Andrew Magee

If a user has passed you a Facebook UID that they claim is theirs and you want to check if it's legit, this is a Python function that will verify it against their access token (an implementation of Robin Jome's answer): 

def verify_facebook_id(id, access_token):
    import requests
    import simplejson
    params = {'fields': 'id', 'access_token': access_token}
    text = requests.get("https://graph.facebook.com/me", params=params).text
    json = simplejson.loads(text)
    response_id = json["id"]
    return response_id == id
This doesn't validate that the token was generated "for your app" unfortunately...
K
Kamoris

This is the only secure method to verify user token using just one request: 

https://graph.facebook.com/debug_token?input_token={token-to-inspect}&access_token={app_id}|{app_secret}

Note that a sign "|" in the above URL isn't used as OR but as separator and must be there after fill the other fields.

The response will be JSON looking like that: 

{
    data: {
        app_id: {app_id},
        application: {app_name},
        expires_at: {some_number},
        is_valid: {true|false}
        scopes: {array_of_permissions},
        user_id: {user_id}
    }
}

Reference: https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens (above method is mentioned at the bottom of this section)

There is another secure way with one request: stackoverflow.com/a/36555287/32453
j
jcm

Along with an access token Facebook also sends an "expires_in" parameter, which is an offset value. Use that to compute for when the access token will expire as an NSDate. Then when you need to do a request compare the current date with the expiration date.

Also try to inspect the status codes and response strings Facebook sends back.

关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable.

简体中文 English

Platform

Support

Contact US

Any questions or suggestions during use, you can contact us in the following ways:

Email: huntsbot@xinbeitime.com

Copyright© 2022-2023 www.huntsbot.com 浙ICP备2022000860号-4 All Rights Reserved.