If you are developing an API for a mobile app, there is a chance that you will have to deal with Facebook login.
Usually the mobile app will handle the communication with Facebook and will pass the Facebook user ID to the API. The simplest would be to simply accept the ID as is. But it is a big security risk as it would be easy to impersonate another user by only sending the ID.
To avoid this issue, the API has to verify that the ID really is authorized for the app. It starts with the mobile app getting the ID from Facebook together with an input token. They are both sent to the API which can verify them directly with Facebook.
This is explained in two different pages in Facebook documentation and it’s a long read:
- https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow
- https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens
To avoid you a long read, you only have to make one call from the server (app_id and app_secret are obtained in the Facebook app parameters):
https://graph.facebook.com/debug_token?input_token=input_token&access_token=app_id|app_secret
This call will return the field is_valid set to true if the input token is valid, together with the user ID corresponding to that input token:
{
"data": {
"app_id": 138483919580948,
"type": "USER",
"application": "Social Cafe",
"expires_at": 1352419328,
"is_valid": true,
"issued_at": 1347235328,
"metadata": {
"sso": "iphone-safari"
},
"scopes": [
"email",
"publish_actions"
],
"user_id": "1207059"
}
} The API can now check that the user ID received from the mobile app corresponds to the one returned by Facebook.