Get application id from user access token (or verify the source application for a token)

Question

I found this question, which has an answer, but facebook changed the token format since then, now it is something like:

AAACEdEose0cBACgUMGMCRi9qVbqO3u7mdATQ         


        

Answer 1

A documented way to ensure this is to use appsecret_proof.

GET graph.facebook.com/v2.5/me?access_token=[TOKEN]&appsecret_proof=[PROOF]

This verifies not only that it is a valid token, but also that the token belongs to the app. It also gets you user data in one go.

You can derive PROOF above in C# using this (from here):

public static string ComputeHmacSha256Hash(string valueToHash, string key)
{
    byte[] keyBytes = Encoding.ASCII.GetBytes(key); 
    byte[] valueBytes = Encoding.ASCII.GetBytes(valueToHash);
    byte[] tokenBytes = new HMACSHA256(keyBytes).ComputeHash(valueBytes);
    valueBytes = null;
    keyBytes = null; 

    StringBuilder token = new StringBuilder();
    foreach (byte b in tokenBytes)
    {
        token.AppendFormat("{0:x2}", b);
    }
    tokenBytes = null; 

    return token.ToString();
}

ComputeHmacSha256Hash(accessToken, appSecret);

Answer 2

https://graph.facebook.com/app/?access_token=[user_access_token]

This will return the app this token was generated for, you can compare that against your app's id.

Answer 3

Why not to use official way of doing things? Here's the request from FB's own video about security.

Request: https://graph.facebook.com/debug_token?input_token={token-to-check}&access_token={app_id}|{app_secret}

Response: "data": { "app_id": {token-app-id}, "user_id": {token-user-id}, ... }

Link to an official video: https://www.facebook.com/FacebookforDevelopers/videos/10152795636318553/

I made a screenshot so that time is visible, and you can find more info if you are interested.

Answer 4

The official graph endpoint for inspecting access tokens is:

GET graph.facebook.com/debug_token?
      input_token=[user_access_token]&
      access_token=[app_token_or_admin_token]

Example response:

{
    "data": {
        "app_id": 138483919580948, 
        "application": "Social Cafe", 
        "expires_at": 1352419328, 
        "is_valid": true, 
        "issued_at": 1347235328, 
        "metadata": {
            "sso": "iphone-safari"
        }, 
        "scopes": [
            "email", 
            "publish_actions"
        ], 
        "user_id": 1207059
    }
}

app_token_or_admin_token can be obtained using the Graph API call:

GET graph.facebook.com/oauth/access_token?
     client_id={app-id}
    &client_secret={app-secret}
    &grant_type=client_credentials

The debug_token endpoint will fail if that user_access_token doesn't belong to the app that generated the app_token_or_admin_token.

Relevant facebook documentation:

• Inspecting access tokens: https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/#checktoken

• App Tokens: https://developers.facebook.com/docs/facebook-login/access-tokens/#apptokens