Verify Facebook Access Token for specific App

Question

I need to verify that users on my iPhone app are actually logged in to my Facebook app. I\'m able to verify their user id by retrieving it with their Access token:

Answer 1

Yes. You can query this:

https://graph.facebook.com/app?access_token=TOKEN

It will return the name, id and several stats about the app that created the access token.

Answer 2

You can use appsecret_proof on your api calls.

From the official documentation:

Access tokens are portable. It's possible to take an access token generated on a client by Facebook's SDK, send it to a server and then make calls from that server on behalf of the client.

You can prevent this by adding the appsecret_proof parameter to every API call from a server and enabling the setting to require proof on all calls. This prevents bad guys from making API calls with your access tokens from their servers.

Example:

https://graph.facebook.com/app?access_token=TOKEN&appsecret_proof=<app secret proof>

In PHP:

$endpoint = sprintf(
    'https://graph.facebook.com/app?access_token=%s&appsecret_proof=%s',
    urlencode($accessToken),
    urlencode(
        hash_hmac('sha256', $accessToken, $appSecret)
    )
);

You can now trust that the response that you got can be used for authentication.

Answer 3

Facebook now provides support for debugging an Access Token. You can retrieve the information related to a particular Access Token by issuing a GET request to the debug_token connection. Something like:

GET /debug_token?
     input_token={input-token}&
     access_token={access-token}

Where, input-token: the access token you want to get information about and access-token: your app access token or a valid user access token from a developer of the app

And this will return the following information:

{
        "data": {
            "app_id": 000000000000000, 
            "application": "Social Cafe", 
            "expires_at": 1352419328, 
            "is_valid": true, 
            "issued_at": 1347235328, 
            "scopes": [
                "email", 
                "publish_actions"
            ], 
            "user_id": 1207059
        }
    }

You can get more information about it in the Getting Info about Tokens and Debugging reference.

Answer 4

Here is my implementation in Python 3, implementing a single Facebook Batch Request. This should get you both the APP and USER data that is tied to the user's access_token, in one call.

#Build the batch, and urlencode it
batchRequest = '[{"method":"GET","relative_url":"me"}, {"method":"GET","relative_url":"app"}]'
batchRequestEncoded = urllib.parse.quote_plus(batchRequest)

#Prepare the batch and access_token params
dataParams = 'access_token=%s&batch=%s' % (fb_access_token, batchRequestEncoded)
dataParamsEncoded = dataParams.encode()
fbURL = 'https://graph.facebook.com/'

#This will POST the request
response = urllib.request.urlopen(fbURL, dataParamsEncoded)

#Get the results
data = response.read()
data = json.loads(data.decode("utf-8"))

There is probably a more pythonic way to implement some of the encoding calls I wrote, but I just wanted to show what exactly worked for me.