My team and I are working on my own mobile social network for Android, which allows users to log in using Facebook. Ive managed to implement the Android SDK for Android, but they managed to figure out how to correctly / securely authenticate a user who logs in using facebook with credentials received only from Facebook. Currently, here is my system:
Step 1. From the Android client, the user clicks on the Facebook login and provides permissions for my application.
Step 2. After the user grants our permissions, Facebook will send us a response that includes the user ID fb, email address and token (among other information, if this is the first time the user has logged in using facebook)
Step 3. Information is sent to our API for authentication
, and this is where I am a little unclear .... How do I verify the credentials on my server?
At the moment, I'm just checking my db for an existing user with fb_uid and fb_email received, but everyone can get anyones fb_uid, and itβs not so difficult to find the email that they used to register with facebook, which means that someone can hypothetically itβs easy to hack another user account with a fake HTTP request.
source share