Facebook authentication to my server using Android
I'm building an application with the following blocks:
Android - Client Side, Java Servlets - Sever Side, Facebook app - used in order to authenicate users and work with their data.
My Problem is the following: I would like to authenticate my users via facebook (such as a request sent from the android client using facebook-android-sdk to facebook) but then I would like to send requests to my server (which is implemented by servlets) and to validate somehow that the user sending the request is authenticated to facebook and my application.
So these are the steps:
user X is authenicated to facebook and my facebook app using facebook-android-sdk. X is sending a request to my server
As for the server, I would only like to know it's a proper user which is working with me, I don't need the server to perform any Graph API requests.
How can I know that X is valid in my server? The authentication was performed on client side in that case.
Answer
So you have: Facebook - Android Application - Your web server. And your web server needs to know that you are the Facebook user you are presenting. The problem is that you can not trust the Android client for any data it gives to you.
I solved the problem like this:
- Authenticate user to Facebook from Android application,
- Get the FB auth token to the android app,
- Forward the authentication token & facebook UID from Android to web server,
- Verify the token (using app_id & user_id) by using Facebook Graph debug endpoint as described here (https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken) to be sure that the token is for correct application
- On web server, make Facebook API call with the submitted token.
If the debug endpoint API call from your web server returns valid information (app id & user id), your server can trust the id (& you can be sure that the Android authentication is real)