0

I'm wondering if there is a purely server-local means of doing Facebook access token validation. I.e., without making a network request to Facebook. I've seen methods requiring REST requests to Facebook's servers (see Facebook access token server-side validation for iPhone app). My situation is that I'm getting the access token from a client mobile phone app, via a REST call to my server, and want to validate that access token on the server.

The reason I'm thinking this way is that Google authentication has a purely server-local means of validating their IdToken's.

In my case, on each call to my server's REST API, I'm going to have to do this validation (e.g., Facebook access token validation), so I'd rather reduce the per REST call overhead to my server. Note also that I can't store a single Facebook access token on my server-- there will be various users on the client side, each sending their own access tokens up to my server.

Community
  • 1
  • 1
Chris Prince
  • 7,288
  • 2
  • 48
  • 66
  • Of course not. Without contacting Facebook there is no way to know if it been invalidated – WizKid Jun 14 '16 at 21:11
  • But why do you need to validate it for every call? – WizKid Jun 14 '16 at 21:15
  • Each call could be from a different user. I'm using Facebook creds for sign-in authentication, not for using Facebook per se. – Chris Prince Jun 14 '16 at 21:29
  • If you not calling Facebook you don't need to verify if that access token is valid. You just need to verify if you seen it before. So you store access token that you validated against Facebook – WizKid Jun 14 '16 at 21:33
  • I'm nodding. That could help a lot. The expiry duration of a standard app issued access token seems to be an hour or two (https://developers.facebook.com/docs/facebook-login/access-tokens), so this would be a big savings for a bunch of REST API calls issued to my server in a rapid sequence. So when I encounter an access token I've not seen for that user, I'd need to do the (infrequent) Facebook server validation. Thanks! – Chris Prince Jun 14 '16 at 21:39

0 Answers0