Facebook login confirmation and server side confirmation

Question

Facebook login confirmation and server side confirmation

I am working on a mobile application that has built-in Facebook login (using sbk android sdk). I also have a server on which there are some rest endpoints that I would like to protect. I searched for several days trying to find a better solution (reading articles on dev: https://developers.facebook.com/docs/facebook-login/security , other stackoverflow posts), but I'm not quite sure what is the best solution.

I currently have the following setting:

The user is registered in the application using Facebook (mobile Android-sdk).
When requesting a resource from the resting endpoint, the token will be added as a header.
On the server side, I check the token using the fb debug_token endpoint ( https://developers.facebook.com/docs/graph-api/reference/v2.5/debug_token )
If the check is successful, I authorize that my rest resource be “called out”

As you can see, I will have my own request on Facebook (server side) for each request I receive. Is there a better way to solve this problem?

Thanks in advance!

+5

android security rest facebook facebook-graph-api

Jdruwe Oct 08 '15 at 19:10

source share

1 answer

Rémy noel · Answer 1 · 2015-10-28T17:22:04+0000

Facebook uses OAuth, and with this protocol you should have an expiration time attribute associated with the token in the headers or response tag.

Thus, you can store it wherever you want the tuple (token, expiry token) to frequently change the request to facebook.

In fact, you should have an answer with these attributes:

{ "access_token": <access-token>, "token_type":<type>, "expires_in":<seconds-til-expiration> }

Facebook login confirmation and server side confirmation

More articles: