Get application id from user access token (or verify the source application for a token)

facebook facebook-c#-sdk oauth-2.0 facebook-oauth
Jonathan Levison picture Jonathan Levison · Nov 15, 2011 · Viewed 26.6k times · Source

I found this question, which has an answer, but facebook changed the token format since then, now it is something like:

AAACEdEose0cBACgUMGMCRi9qVbqO3u7mdATQzg[more funny letters]ig8b3uss9WrhGZBYjr20rnJu263BAZDZD

In short, you cannot infer anything from it. I also found the access token debugger, which shows the information I am looking for if you paste a token in, which is nice, but does not help me do it programmatically.

Point is, if someone gets a token for a user, he can use it to access the graph, which is what I do in my application - I want to be sure that people are forwarding the token that was issued to them by my application, and not another.

My application flow is:

  1. Get access token from facebook (nothing special, in the way it is described in here , Server-side Flow. (also iPhone and android and used, but they have similar flows if I recall correctly))
    [device] <-> [facebook]
  2. With that access token, the device will access my application server with the token
    [device] <-> [Jonathan's application]
    At my server I attach the access token to the user and use that to give permissions to that user in my application. (using the facebook connect to authenticate users)


My application is secured, and the access done is also authenticated regardless of facebook, BUT! in this flow, the a weak link I identified is that I cannot authenticate for sure that the access token I got was signed for my application - I do not like it because I cache the tokens for offline use, I want to be 100% sure they are for my application, with my permissions.

So what will be the (best) way to authenticate that the token I got is related to my application (for relation to user, I use the token to access /me and see which user this token is for)

I do not need to decrypt the token (i guess its some sort of AES), I am just looking for an endpoint that will tell me the token matched my application id.

(EDIT: Using the C# SDK, if it matters.. But a graph/rest call to give that info is just as good as well :) )

Answer

Daaniel picture Daaniel · Jan 4, 2012

https://graph.facebook.com/app/?access_token=[user_access_token]

This will return the app this token was generated for, you can compare that against your app's id.

Related questions

Facebook exchange code for token

When you successfully exchange a "code" for a token facebook responses with the following (html body) access_token=USER_ACCESS_TOKEN&expires=NUMBER_OF_SECONDS_UNTIL_TOKEN_EXPIRES But what happens when this code for token exchange fails? how …

Read More
Retrieve Access Token Using Javascript API

This is a follow up to the topic: Passing the signed_request along with the AJAX call to an ActionMethod decorated with CanvasAuthorize Since I couldn't get the signed_request to be anything other than null, I thought I'd authenticate …

Read More
List of Facebook fields returned by Social Graph API

Does anybody know if there is an authoritative list of fields that can be returned by the Facebook Social Graph API? For example the fields returned by an Author object are different to a Company object. Is there a list …

Read More