0

I have mobile online game and my server need user_id for the player. But facebook only gives me access_token to request data from user account and doesn't provide signed user_id. It's important to have SIGNED user_id so no other user can pretend to be another just by replacing user_id in request to my server. Siging on client is no secure because anyone who cares can find secret key in client binary.

So now I will have to create intermediate step in authentication process - request to my server with access_token, which in turn request facebook for user info (which is sloooow and depends on my server geoposition (constant), not clients), create signature with MY_SERVER_PRIVATE_KEY + user_id, and send it back to client. This not a big problem, but create latency during authentication.

Do I miss something? Is there no way to receive user_id from facebook signed with my application secret key?

RawCode
  • 1,073
  • 8
  • 13
  • Please specify what server side technology you are using and also what exactly your apps ultimate functionality , I have just posted the general information here on how facebook api behaves , – Aravind.HU Oct 15 '12 at 05:57

1 Answers1

0

You cant get the signed user id ,unless the user has connected to your app first. So you have to either use client-side or the server-side Auth flow in your app.

Application Auth Flow documentation at Facebook

Aravind.HU
  • 9,194
  • 5
  • 38
  • 50
  • Thank you. It is as i expected is would be. Just to clarify my app structure: I have server requering SIGNED user_id I have unsecure public client. What i need is protection against malicious users who tries to authenticate as another user. If i sign user_id on client it give little to no protection - anyone with skill can disassemble and find the key (thou it crypted compile-time. Still, not secure.) Some social network do provide signed user_id for their canvas aps, and that what lead me to question - i asumed it must be common needed feature and i just missed it in the docs. – RawCode Oct 15 '12 at 09:31