0

I have a mobile application (HTML 5, JavaScript) and a Restful service (Java, Jersey) to cater the mobile application.

Mobile application sign in is handled via a Facebook (Sign in using Facebook account). And currently there is no any security mechanism integrated for the Restful service

So my question is, can I authorize users on the Restful service via the access token retrieved from Facebook, to the mobile application ? To further clarify, if someone has logged into the mobile he/she should be authorized to make requests to the Restful service.

Thanks in advance Asanka

Asanka
  • 429
  • 3
  • 10

1 Answers1

1

If the user has authenticated with Facebook and you have the access token with you, you can get the user's facebook profile's public information. You've got to hit this link - https://graph.facebook.com/me with the access token.

Go ahead, click on the link and see what happens. When you pass a valid access token, profile info will be returned as a JSON object. (if you FB profile page is = facebook.com/yourname, then just try https://graph.facebook.com/yourname -> you'll be able to see what the data returned looks like.

Now, with the user data returned you can keep an entry in your DB if the user is registered or not, for first time users you can register them.

PS - https://graph.facebook.com/yourname actually returns someone's profile info! I didn't know anyone could keep their profile handle as yourname!!!
PPS - I just checked facebook.com/yourname -> Guess who uses this handle! It's the brazilian defender Roberto Carlos!

divyanshm
  • 6,600
  • 7
  • 43
  • 72
  • Hey highly appreciate answering my question, actually kind of thing that you suggest would serve my purpose. So one thing else, I am thinking of putting a filter to the jersey service and authorize each request. What do you think of this idea ??? – Asanka Apr 29 '13 at 05:12
  • Depends on what sort of filter you are talking about and how secure you want your app to be! You are not really accessing someone's private FB info using OAuth, it's just the publicly available information so I don't think you should worry too much! But then, it totally depends on what exactly does your app do, and what kind of data you handle. Good luck mate! – divyanshm Apr 29 '13 at 08:48
  • Well I'm still thinking what level of security I need for this. Anyways thank you very much for your opinion. – Asanka Apr 29 '13 at 20:08