I’m looking at the windows 8 facebook c# sample code where a user can login to my app via facebook. No where do I see the mention of secret key inside the sample code. I thought the secret key was required for obtaining an access token?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m looking at the windows 8 facebook c# sample code where a user can login to my app via facebook. No where do I see the mention of secret key inside the sample code. I thought the secret key was required for obtaining an access token?
You need app secret only if you are getting code from the client and exchanging it for a access token.
for web apps, it is recommended to use code and then exchange the it for access token which requires the app secret. This way when fb redirects back to your page you with ?code=… instead of #access_token=… it is guaranteed that the access token never reaches the client and saved in the browser history.
for windows apps (both store and desktop), you can directly get the response_type=access_token as it is guaranteed that it will not be saved in the browser history. and for security never include the app secret in the client app incase some users reverse engineers your app.