In spring social for Facebook api, why does facebook.isAuthorized always return true?

Question

I have an angular2 app that has a Facebook login feature. When the user authenticates themself, I then send this accessToken to the server.

The server program is with Springboot and I make use of spring social.

I want to check to see if this user is authorized. So I call:

facebook.getToken() returns the access token generated on the client side. When I call facebook.isAuthorized() it returns true...As expected, because I am sending real data.

Although if I send bogus data such as:

(The token in this case is fabricated by me) to the same API endpoint facebook.isAuthorized returns true. This is unexpected because in this case I am fabricating an accessToken.

The spring-social dependency is this:

Why does isAuthorize return true for a real access token, as well as a fake one? How can I check to see if a user of my angular2 app has authenticated themselves through Facebook on the server side?

Answer 1

Implementation of isAuthorized() for FacebookTemplate can be found at https://github.com/spring-projects/spring-social/blob/a6bf2626ee8ac81765c416029ca033affc94fc6c/spring-social-core/src/main/java/org/springframework/social/oauth2/AbstractOAuth2ApiBinding.java#L87.

With this source its quite obvious that isAuthorized() only checks if there is any access token provided.

To validate your token you can run any request which need authorization (e.g. userOperations().getUserPermissions()) and check for InvalidAuthorizationException or you can find some inspirations in how to verify facebook access token?.