Facebook authentication to my server using Android

Question

I\'m building an application with the following blocks:

Android - Client Side, Java Servlets - Sever Side, Facebook app - used in order to authenicate users and wo

Answer 1

So you have: Facebook - Android Application - Your web server. And your web server needs to know that you are the Facebook user you are presenting. The problem is that you can not trust the Android client for any data it gives to you.

I solved the problem like this:

1. Authenticate user to Facebook from Android application,
2. Get the FB auth token to the android app,
3. Forward the authentication token & facebook UID from Android to web server,
4. Verify the token (using app_id & user_id) by using Facebook Graph debug endpoint as described here (https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken) to be sure that the token is for correct application
5. On web server, make Facebook API call with the submitted token.

If the debug endpoint API call from your web server returns valid information (app id & user id), your server can trust the id (& you can be sure that the Android authentication is real)