1

Facebook documentation states that

the App Secret or an App Access token should never be included in any code that could be accessed by anyone other than a developer of the app. This applies to all methods of code that are not secured like client-side code (such as HTML or Javascript) or native apps (such as iOS, Android or Windows desktop apps) that could be decompiled. https://developers.facebook.com/docs/facebook-login/security#appsecret

For this reason, if your 'App Type' under Advanced Settings in the App Dashboard is set to Native/Desktop we assume that your native app contains the App Secret or an App Access Token in the binary, and we do not allow calls signed with an App Access Token to proceed. The API will behave as though no access token was provided.

Therefore if you embed App Secret in your app and tell Facebook about it, it will simply stop working with OAuth (I have also tested this, when you check that option, Facebook stops validating the secret).

but Xamarin.Auth 1.3 (latest stable) requires clientSecret (in OAuth2Authenticator class clientSecret is the required parameter) and uses it to obtain Facebook access token when user successfully logs in.

So is it a bug, is there a workaround, or Xamarin.Auth is useless with Facebook for now?

Bob
  • 5,809
  • 5
  • 36
  • 53

2 Answers2

1

Let's not confuse things. This has nothing to do with Xamarin.Auth.

There are two major options for OAuth2:

  1. Implicit flow
  2. Authorization code flow

The implicit flow does not require a client secret. The implicit flow is typically used with mobile apps, since they cannot keep a secret (you could disassemble the app binary and find the secret). Same goes with Javascript or desktop apps. The only way to protect the secret is if it is stored on a server which cannot be accessed by third parties (=the users).

The authorization code flow uses the client secret as an additional protection, the secret identifies a specific party, like a server.

So what does Facebook state? They say, if you configure your app to be a native/desktop app in Facebook's dashboard, they assume (!) that you store the secret in the binary, because: where else would it go? As a consequence, the secret is no longer a real secret, hence the Facebook API acts as if the secret was not there.

Two solutions:

  • Either you configure your app as not native/desktop (I don't know which term Facebook uses, maybe "Server")
  • or you use the implicit flow which was designed for mobile clients.

And to answer your initial question: yes, Xamarin.Auth supports Facebook's OAuth2, because it is just like any other OAuth2.

Community
  • 1
  • 1
Krumelur
  • 32,180
  • 27
  • 124
  • 263
  • Thank you, but I am asking why Xamarin.Auth requires you to embed the client secret to the app and how can it be safe and keep your app working (if you configure your app as native in Facebook, the Oauth flow which Xamarin.Auth uses will stop working, the secret verification will fail) and if you won't your secret will be compromised (as it will be in binaries, which users can disassemble etc etc) would you please say something about this if you know the answer... – Bob Aug 04 '16 at 17:11
  • It cannot. If you include a client secret in a mobile app, it's neither protected nor a secret. However, nobody *stops* you from doing this. For the *implicit* flow you don't need the client secret. Facebook does not detect wether your app contains a client secret. They check: is the app configures as a native/desktop/mobile app? If yes, does it try to use the client secrete? If yes, don't accept because it's not considered a secret. – Krumelur Aug 04 '16 at 17:15
  • 2
    @Bob I think some of the confusion might be that you are using the wrong constructor, use the one without the *required* `ClientSecret`: `public OAuth2Authenticator (string clientId, string scope, Uri authorizeUrl, Uri redirectUrl, GetUsernameAsyncFunc getUsernameAsync = null)` :https://github.com/xamarin/Xamarin.Auth/blob/9c19d90e52994188def9e12e0bbc981a3943a752/src/Xamarin.Auth/OAuth2Authenticator.cs#L110 – SushiHangover Aug 04 '16 at 18:20
  • 1
    I have the same issue. Xamarin.Auth 1.3 does not have a constructor without the clientSecret at the moment. For Xamarin.Auth 1.3 you need to look into the portable-bait-and-switch branch. Master is outdated. – fnllc Aug 06 '16 at 21:59
  • @SushiHangover you are right, there IS 2 constructors and implicit flow does work with the one I wasn't using, I will accept if you post an answer, tnx – Bob Aug 08 '16 at 10:47
1

OAuth2Authenticator contains multiple constructors and there is one that does not require ClientSecret:

public OAuth2Authenticator (string clientId, string scope, Uri authorizeUrl, Uri redirectUrl, GetUsernameAsyncFunc getUsernameAsync = null)

This one will allow OAuth2 Implicit flow and thus does not need a client secret to be stored within your application's code.

Ref: https://github.com/xamarin/Xamarin.Auth/blob/9c19d90e52994188def9e12e0bbc981a3943a752/src/Xamarin.Auth/OAuth2Authenticator.cs#L110

SushiHangover
  • 73,120
  • 10
  • 106
  • 165