Facebook messenger account linking, how to use it?

3
votes

There are 4 easy steps described in the documentation about account linking for the messenger platform:

  1. Register a callback URL using Log In Button.

  2. Messenger Platform invokes the registered URL when a user starts the account linking flow. The redirect_uri and account_linking_token parameters are appended to your registered callback.

  3. Once linking is complete, redirect users to the location provided by redirect_uri and append a authorization_code parameter (defined by you) to confirm linking.

  4. Optionally retrieve the user's page-scoped ID (PSID) using the account linking endpoint. This step should only be used in special cases when you need the user's PSID as part of the linking process.

These steps are very easy to follow, except there's no help whatsoever on how to actually link the account, I get the redirect_uri and the account_linking_token as parameters on my callback website where I enter the account login and password.

And then, I link the accounts...? How exactly?

What's the use on this button? I know it is supposed to link accounts, but what do I need the account_linking_token for? I can already send in a regular web_url button the user psid, I can easily send it on my login button as a parameter and link account to this psid if credentials are correct.

I strongly believe there's something I'm missing or something I'm not understanding, but I don't know what. I followed the steps, called the account linking endpoint to get the PSID, which I already had since it is how I send messages with my bot, but I don't really see the point on this button.

So, what am I missing? I'm so frustated.

1
javascriptphpfacebookfacebook-messenger-bot
“but I don't really see the point on this button” – the point is to connect the Messenger user, for whom you will only get a page-scoped user id, to any other login system you might be using - be that an external site’s own login system, or Facebook login used on an external site, or ... - CBroe
But like I mention, I already got the PSID via the messenger, it turned out to be the sender id, so, whty the need to make a special button to return information you basically already have? - Lauro182
Because what id the user has in the external login system, is information you don’t already have ... - CBroe
Yeah, but if you make a web_url button, instead of an account_linking button and just append to the url a GET parameter with sender id as value, then you can send the id in the login form and link the external login with the sender id, so I still don't see the point of the account_linking button, I feel like I'm not understanding something. - Lauro182
Yeah, kinda. But if a flow with added security already exists, why not use it, instead of brewing your own solution? - CBroe

1 Answers

3
votes

Just been through a similar bit of head scratching, so will explain what I've done while it's fresh in my head

For my example, I wanted Facebook to redirect out to my main login page, which is an open id connect implementation. The customer signs in to this, and I get an id_token and access_token back from that. Upon receiving the access_token, I'm extracting the 'sub' claim from the JWT, which is the unique customer identifier in our database.

I'm then redirecting back to the value that was sent to me in redirect_uri, appending authorization_code={the-value-of-the-sub-claim}

This then triggers the 'account link' webhook, which will Post to my service code, containing the PSID of the Facebook user and the authorization_code, which is my unique customer id in my business database.

You now have the 2 bits of information you need, the unique facebook id and your unique customer id in the Post message. It's up to your business code to persist this information to some sort of storage at this point

On subsequent message posts to the Bot endpoint, you always have the sender (PSID) in the message. Your code can now look up the corresponding id specific to your business and perform operations relevant for that id.

Where the linking takes place - that's in your code, you need to handle the message from the account link webhook and store the data for future use.