C# help required to Create Facebook AppSecret_Proof HMACSHA256

Question

Facebook requires that I create a appsecret_proof: https://developers.facebook.com/docs/graph-api/securing-requests

And I have done this using the following code:

public string FaceBookSecret(string content, string key)
{
        var encoding = new System.Text.ASCIIEncoding();
        byte[] keyByte = encoding.GetBytes(key);
        byte[] messageBytes = encoding.GetBytes(content);
        using (var hmacsha256 = new HMACSHA256(keyByte))
        {
            byte[] hashmessage = hmacsha256.ComputeHash(messageBytes);
            return Convert.ToBase64String(hashmessage);
        }
}

Everything looks fine for me, however facebook says that the appsecret_proof is invalid. I am logged in, I can do everything as normal when i remove the key. So to save some time:

• Yes I am posting to the correct URL
• Yes I am passing a valid access_token
• Yes I am using the same access_token in the proof, as i am in the request
• Yes my appsecret is fine, and works

Example in usage

dynamic results = client.Post("/" + model.PostAsId + "/feed", new { message = model.Message, appsecret_proof = FaceBookSecret(postAs.AuthToken, AppSecret) });

I think it probably has something to do with encoding or something along them lines, but to be honest, I just dont know.

I am also using the Facebook .net SDK however this does not have much in documentation, and does not seem to strike on anything to do with automation, server side operations etc.

Thanks

Answer 1

The app secret is a base-16 string, so you need to convert that to a byte array. Take a look at How can I convert a hex string to a byte array? for details on how to do this. The access_token needs to be converted to a byte array using the ASCII encoding. Once you've generated the HMAC then encode this as a base-16 string to use as your appsecret_proof. The following code will convert a byte array to base16.

public static class Base16
{
    private static readonly char[] encoding;

    static Base16()
    {
        encoding = new char[16]
        {
            '0', '1', '2', '3', '4', '5', '6', '7',
            '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
        };
    }

    public static string Encode(byte[] data)
    {
        char[] text = new char[data.Length * 2];

        for (int i = 0, j = 0; i < data.Length; i++)
        {
            text[j++] = encoding[data[i] >> 4];
            text[j++] = encoding[data[i] & 0xf];
        }

        return new string(text);
    }
}

The code to generate the appsecret_proof would then be

private string GenerateAppSecretProof(string accessToken, string appSecret)
{
    byte[] key = Base16.Decode(appSecret);
    byte[] hash;
    using (HMAC hmacAlg = new HMACSHA1(key))
    {
        hash = hmacAlg.ComputeHash(Encoding.ASCII.GetBytes(accessToken));
    }
    return Base16.Encode(hash);
}

Facebook seems to accept either a SHA256 HMAC or SHA1 HMAC.

Answer 2

I have used the below successfully with Facebook

using System.Security.Cryptography;
using System.Text;

internal static string FaceBookSecret(string content, string key)
{
    byte[] keyBytes = Encoding.UTF8.GetBytes(key);
    byte[] messageBytes = Encoding.UTF8.GetBytes(content);
    byte[] hash;
    using (HMACSHA256 hmacsha256 = new HMACSHA256(keyBytes))
    {
        hash = hmacsha256.ComputeHash(messageBytes);
    }

    StringBuilder sbHash = new StringBuilder();
    for (int i = 0; i < hash.Length; i++)
    {
        sbHash.Append(hash[i].ToString("x2"));
    }
    return sbHash.ToString();
}