Shared Facebook Access Token between Website and Mobile Application

8
votes

I would like a Web site (Rails 3.1 with Devise and Omniauth) and a mobile application (iOS5) to share authentication. By this I mean I would like a user to be able to SSI to the site with Facebook, or SSI to the mobile application and have the mobile application talk to the website's API using the user's credentials to authenticate to the website.

I currently have the web side working nicely with a User being able to SSI to an account. I also have the mobile application working, supporting user SSI. Both are using the same Facebook application.

My problem is finding something shared between the two that I can use for the Mobile application to authenticate against the site. Obviously both have access to the same user ID, but this doesn't seem very secure. My mobile application has an Access Token, but this differs from the website's access token, though they look similar, and my mobile access token expires while my web access token does not.

Web/Rails Token (Not real):

DDDAKnu1dg40BDHEWN0VDssxs8GGF8ZBEEOb38HnS0IUEQC1NSufmPCcGeFkTuw39ZDl7OhlZBD2jwJEqXdAZCtZBflJRQKZB4ZA

Mobile/iOS Token (Not real)

BDDAKnu1dg40BDEo3YjZD2hIwjfZB4slXJj3fmHfzLh5q1xZD0ShfJCb6PMjnApkpM0FTuGGvWnzZBQy4GZCMuysEEqhMz8YgruD53TXKTZC0GPFkfVe0b6fe8wieLLOZDDZA

Using Facebook's access token debugger I get the following (Everything removed is identical between tokens):

For Web/Rails Token:

App ID: 
XXXXXXXXXXXXXXXX : SomeAppName
User ID:    
XXXXXXXX : My Name
Issued: 
1327507734 : 8:08 am Jan 25 2012
Expires:    
Never
Valid:  True
Origin: Web
Scopes: email offline_access

For Mobile/iOS:

App ID: 
XXXXXXXXXXXXXXXX : SomeAppName
Metadata:   {"sso":"iphone-safari"}
User ID:    
XXXXXXXX : My Name
Issued: 
1327507734 : 8:08 am Jan 25 2012
Expires:    
Never
Valid:  True
Origin: Native Mobile
Scopes: email offline_access
3
iosfacebookmobileaccess-tokenfacebook-access-token
hello. did you find a solution to this problem? i'm facing the same issue right now... - alex
Hi. No unfortunately not. Strange given that it would appear to be quite a common requirement. Spent a long time looking but found nothing useful. Moved onto something else but going to have to solve this pretty soon. - Undistraction
My application doesn't have very stringent security requirements, but, what we do is simply check with Facebook to find the user id associated with each access token to match up accounts - JeffS
@alex Any luck? How have you solved it? - Undistraction
I do this all in a blocking fashion. I don't actually use any built in library, and simply handle the requests myself. In that case, a simple call to graph.facebook.com/me and parsing of some JSON is all that is needed. - JeffS

3 Answers

4
votes

Just for the record, the way I have ended up handling this is to pass the mobile token to the server and have the server check the token's authenticity. Once this is confirmed I can check authenticate against my records using uid and email.

1
votes

You have to do small change in facebook API, in authorization, change from

[self authorizeWithFBAppAuth:YES safariAuth:YES];

To

[self authorizeWithFBAppAuth:NO safariAuth:NO];

Because somethimes there is problem with token when you want to auth by fbApp or Safari. I had this same problem, token in my web services was different because of this.

0
votes

A possible method to solve this is to authenticate via facebook on mobile then send the an encrypted f_uid over to the rails app which will then decrypt the f_uid and see who is actually logging into the server.