1

I'm using the actionscript api for a flash application on the web. I would like to perform actions which require an access token, but I'm unsure of the security implications of using this in flash (which can be decompiled). Is the access token something I need to keep secret?

N.B. Specifically I'm trying to post game achievements which require the app's access token to be passed. But I'm not sure how I can do this securely from flash (or whether this is not an issue).

Andy
  • 7,646
  • 8
  • 46
  • 69

1 Answers1

1

Use the client side flow guidelines from Facebook for authentication: https://developers.facebook.com/docs/authentication/client-side/

Adam
  • 16,089
  • 6
  • 66
  • 109
  • Thanks @Adam, but the access token I need is the app one rather than the user's one. Using the user's one (which is what this example gets me) when posting an achievement causes the following FB error: "(#15) This method must be called with an app access_token." – Andy Mar 26 '12 at 10:50
  • Well in that case the access_token is client/user specific so it is ok if the client/user sees it as it is their token anyway, your app is just handling it for them. – Adam Mar 26 '12 at 11:03
  • No it's the app's one I need (i.e. the same one is used for all users) I assume this one does need to be kept secret then? – Andy Mar 26 '12 at 11:11
  • So the App ID/API Key - yes that is public, however never share the App Secret. – Adam Mar 26 '12 at 11:18
  • 2
    Don't EVER distribute the app secret in client code, the app secret can be used to change your app's admins and other settings via the API – Igy Mar 26 '12 at 13:51
  • @Igy: Facebook's app setting named "App Secret in Client" suggests otherwise, but I haven't yet found any documentation for that setting or why you'd actually want to do that. – Glenn Maynard Sep 14 '12 at 20:49
  • It used to be required for some login APIs, i don't believe there are many use-cases this is required for. That setting was also renamed this week, it was previously called 'App Mode' – Igy Sep 14 '12 at 20:59