oauth - How does one get the app access token for debug_token inspection on Facebook? -
it suggested whether app uses code or token response_type should perform automated check on access_token confirm token belongs person app expects belong , app generated token.
you supposed on
get graph.facebook.com/debug_token? input_token={token-to-inspect} &access_token={app-token-or-admin-token} where app-token app_id|app_secret , token-to-inspect user's access_token. also, think reading documentation can retrieve app-token doing client-credentials call app_id , app_secret.
this fine authorization flow implemented server-side, if you're using implicit method , chose response_type token (and whatever reason aren't using fb's javascript sdk)? how safely app-token without leaking app_secret? how fb's sdk it?
you can generate app_token in facebook developer panel here , save config file server side. developer's page:
app tokens not expire , should kept secret related app secret.
on page, use following flow:
- the user authenticates facebook js sdk, , sends token + uid server.
- the server validates given token related given person via call "debug_token" method, spoke of.
- if token + uid combination valid, authenticates user server side.
i hope helps.
Comments
Post a Comment