Facebook login - detect user logged in without PHP-SDK

Question

I've built custom login flow for facebook login according to https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/ ...

Is it enaugh to consider user as facebook-valid-user-logged-in if the access_token retrieval (Exchanging code for an access token) was successful (no GET error)?

Is facebook access_token something unique to the user and something that can only be "generated by the user"?

Or should I try to retrieve user info with that access_token and after successfully checking it(that it has information requested in permission e.g. email) then only after that consider him as facebook-valid-user-logged-in?

PS: I do not want to use Facebook PHP-SDK

Answer 1

If you have a requirement to not use an official SDK then I would say that you should validate the tokens you retrieve by querying /me.

This is the best way to make sure that you are dealing with a valid token as it is verified by Facebook when you use it for a request.

If the token you are using is not valid, you'll get a response similar to this:

{
  error: {
    message: "Invalid OAuth access token.",
    type: "OAuthException",
    code: 190
  }
}

User access tokens are unique per user and per application. Each application will return a different token for the same user.

Application access tokens are unique per application and do not require any requests to Facebook in order to retrieve them - they are just a concatenation between the app_id and app_secret: app_id|app_secret as mentioned in the documentation:

There is another method to make calls to the Graph API that doesn't require using a generated app token. You can just pass your app id and app secret as the access_token parameter when you make a call:

http://graph.facebook.com/endpoint?key=value&access_token=app_id|app_secret

The choice to use a generated access token vs. this method depends on where you hide your app secret.