We’re allowing a user to access our backend (using a REST api over https with json replies) using only a facebook access token as a credential, so we want to do two things:
-
verify the access token and find the user’s id – which is just a call to https://graph.facebook.com/me?access_token=TOKEN
-
Make sure that this access token belongs to our facebook app.
You can call
https://graph.facebook.com/app?access_token=TOKEN, but this seems to be an undocumented feature (and one which is sometimes rather slow).
Can anybody tell me whether this is in fact a standard method which is likely to stay there? Or is there another way of doing what we want to do: to verify that a user’s access token is valid and comes from our facebook app.
You can call me/permissions and me?fields=installed, but neither of these seem to tell me WHICH facebook app we’re checking.
You can pass signed_request insted of access_token with every request.
Parameter signed_request based on secret key of your application and you can simple verify it. Read documentation about signed request.