I receive a fb_authToken and want to validate that it has session and/or belong to the user by fb_id with PHP

Question

I developed some web services for an iOS client-app, the authentication takes place in the client side they 'log in' to the server by sending the user fb_id and fb_authToken and that's it.

I don't want just to trust the client app I would like to verify with facebook if that authToken has session or at least if it does belong to the indicated fb_id. I haven't seen any examples/docs of that with PHP, just about doing the actual login.

Any advice? thanks in advance.

Answer 1

This is a good question. You should never trust anything you get from the client, and you can never be sure an access token is valid before you try to to use it. And of course you can't trust that they are of the userId they say they are.

A general pattern most apps use is to make a simple request through the graph API and then go into re-authentication if Facebook responds with an exception. A simple request to

https://graph.facebook.com/me?fields=id&access_token={your token}

will respond with the user's Facebook userid if the token is valid. You can make this call as a test of the token and to identify the userid. Here is an example of the response you should get:

{
    "id": "100003099278003"
}

Here is a good Facebook developer blog post describing their recommendations around testing for and handling expired or invalid access tokens: https://developers.facebook.com/blog/post/500/