Inspect a Facebook input token coming from a mobile app

Inspect a Facebook input token coming from a mobile app

Inspect a Facebook input token coming from a mobile app 150 150 Benjamin Durin

If you are developing an API for a mobile app, there is a chance that you will have to deal with Facebook login.

Usually the mobile app will handle the communication with Facebook and will pass the Facebook user ID to the API. The simplest would be to simply accept the ID as is. But it is a big security risk as it would be easy to impersonate another user by only sending the ID.

To avoid this issue, the API has to verify that the ID really is authorized for the app. It starts with the mobile app getting the ID from Facebook together with an input token. They are both sent to the API which can verify them directly with Facebook.

This is explained in two different pages in Facebook documentation and it’s a long read:

To avoid you a long read, you only have to make one call from the server (app_id and app_secret are obtained in the Facebook app parameters):

https://graph.facebook.com/debug_token?input_token=input_token&access_token=app_id|app_secret

This call will return the field is_valid set to true if the input token is valid, together with the user ID corresponding to that input token:

{
  "data": {
    "app_id": 138483919580948,
    "type": "USER",
    "application": "Social Cafe",
    "expires_at": 1352419328,
    "is_valid": true,
    "issued_at": 1347235328,
    "metadata": {
      "sso": "iphone-safari"
    },
    "scopes": [
      "email",
      "publish_actions"
    ],
    "user_id": "1207059"
  }
}

The API can now check that the user ID received from the mobile app corresponds to the one returned by Facebook.

Privacy Preferences

When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your Privacy preferences. It is worth noting that blocking some types of cookies may impact your experience on our website and the services we are able to offer.

Our website uses cookies, mainly from 3rd party services. Define your Privacy Preferences and/or agree to our use of cookies.