0

For users signing up from our android app and iOS app, we need to generate short lived access token from the app and need to have the server generate the long-lived token. Referring to https://developers.facebook.com/docs/facebook-login/access-tokens#extending, we see the following -

Make this call from your server, not a client. The app secret is included in this API call, so you should never actually make the request client-side. Instead implement server-side code that makes the request, then pass the response containing the long-lived token back to your client-side code. This will be a different string than the original token, so if you're storing these tokens, replace the old one.

Once you've retrieved the long-lived token, you can use it from your server or ship it back down to the client to use there.

How do we implement this when we have an android app and server and not a web page as the client?

The facebook documentation mentions that Mobile apps that use Facebook's mobile SDKs get long-lived tokens. How do I get short lived access token from android app? How can we have this implementation in a mobile app mentioned in facebook docs - Web client authenticates, exchanges the short-term token for a long-term token via a server, token is sent back down to the web client and then the web client and makes calls with the long-term token. Also they have mentioned in the docs Make this call from your server, not a client - GET /oauth/access_token?
grant_type=fb_exchange_token&
client_id={app-id}& client_secret={app-secret}& fb_exchange_token={short-lived-token}

Rupa Lahiri
  • 55
  • 9

1 Answers1

0

Have a look at Design for Facebook authentication in an iOS app that also accesses a secured web service

You just need to create a WebService on your server which receives the Access Tokens, and takes the appropriate actions.

Community
  • 1
  • 1
Tobi
  • 31,405
  • 8
  • 58
  • 90
  • In the link you have shared, the solution given is to have a separate facebook login and a separate login into the web application. For normal login, we capture the username and password. In case someone is using facbook to login to our application, what should I consider as the password? – Rupa Lahiri Oct 20 '14 at 09:35
  • Only the steps 3 and 4 are important for your use case. I guess you don't want to complicate things. Just setup a service on your server which talks HTTPS, receive the short-lived token, exchange it and save it to some database. – Tobi Oct 20 '14 at 09:41
  • I have edited my question and added more details. How should the server verify the token and authenticate the user to make api calls? We are using spring security to authenticate users for normal username and password. – Rupa Lahiri Oct 20 '14 at 11:54