Question

I have the following use case

  1. My application on iOS is using the FaceBook iOS SDK to authenticate with FB
  2. The application then make a REST call over https to my server to register the FB account to their service account (the service I am offering)

In step 2 the client is sending the FaceBook UID.

My problem is that the server has no FB integration so has to reply on the client sending the right FaceBook UID.

So the problem is obvious, a hacker can attach someone else FaceBook account to their service account .

What I would like is for the server (Java) to be able to validate that the user who is sending the request owns the Facebook UID in question.

I have been searching online and cannot find anything that I think will work.

I came across a vague post about using the FB signedRequest field, this could be passed to the server to validate the user.

Any idea would be appreciated.

Was it helpful?

Solution

Here is a thought:

Once you authenticate the user in your iOS app, get the access_token, and pass only this in your REST call to your server.

On the server side, make a request to https://graph.facebook.com/me?access_token=... using the access_token that you transmitted. If the access token is valid, you will get all the the user's data proving that you have a valid, authenticated user.

If you wanted to be extra sure, you can also request http://graph.facebook.com/app?access_token=... to be sure that the access token was created by your app.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top