I receive fb_authToken and I want to confirm that it has a session and / or belongs to the user fb_id with PHP

I have developed some web services for an iOS client application, authentication happens on the client side, they "register" with the server by sending fb_id and fb_authToken to the user and that.

I don't want to trust the client application that I would like to check with facebook if this authToken has a session, or at least if it belongs to the specified fb_id. I haven't seen any examples / docs of this with PHP just doing the actual login.

Any advice? thanks in advance.


source to share

1 answer

That's a good question. You should never trust anything you get from a client, and you can never be sure that an access token is valid before you try to use it. And of course you cannot trust that they belong to the user if they say they are.

The general scheme used by most apps is to make a simple request through the graph API and then move on to re-authenticate if Facebook is responsible for the exception. Simple query

https://graph.facebook.com/me?fields=id&access_token={your token}

will respond by the user of the user userid if the token is valid. You can make this call as a token test and identify the user id. Here's an example of the response you should receive:

    "id": "100003099278003"


Here is a good blog post on Facebook Developers Blog that outlines their guidelines for testing and handling expired or invalid access tokens: https://developers.facebook.com/blog/post/500/



All Articles