Facebook: sending an iOS access token server side and signing with App Secret

Question

I am writing an iPhone app that uses Facebook extensively. Right now, I'm getting the access token using the iPhone Facebook SDK. This returns me a standard access token.

I'm sending this token server-side and using it for many queries successfully. However, there are some queries that require an access token signed with the Application Secret, which the iPhone app sdk can't do client-side due to security vulnerabilities (specifically I'm trying to use dashboard methods).

So my question is: is there some way I can have Facebook upgrade this iPhone access token server-side to contain the signed secret? Or do I have to validate server-side from the beginning to do this?

The docs say that with the 'Server-side flow' method, once the user allows your app, you get a code generated by the server that you must send back with your App Secret to get your access token. The iPhone SDK uses 'Client-side flow' method, and it seems to skip this step, so I'm not sure how to get this code. So I guess the question boils down to, is it possible to upgrade a token gotten with the 'client side flow' method to one that can be used fully server side.

Answer 1

The answer is no.

The user token and app tokens are different and you can't convert one to the other.

Because you have a client app, I don't recommend that you embedded your app secret (as you point out).

For your app, I recommend that you create a web page on a server you control that gets and use app token that makes the calls you want.