Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
A web service I’m developing connects a user’s account to their Facebook account through a API that passes a Facebook access token to the backend. Is there some way to ensure that the access token that has been received belongs to my application?
Obviously, there will be errors later on if I try to use an access token from a different application to publish actions, for instance, but I’d rather catch this error case before associating the incorrect access token with a user’s account.
The easiest way is just make an authenticated request to Facebook when you get their access token. Try and fetch their user info, maybe just their Facebook id, and verify the access token/Facebook id the user sent you is actually correct. You can make a request to the url:
https://graph.facebook.com/me?fields=id&access_token=…
to fetch just their id. I’d add this check to the registration process, since it’s pretty important to get the pair correct.
Edited: To verify the app the access token belongs to, make a request to
https://graph.facebook.com/app?fields=id&access_token=
and it’ll give you the app id of the token.