2

I have a web application built using React that has an existing User/Session system. Right now, username and password are passed to server to authenticate and create session.

Enter Facebook Login (web). I want to allow for both username/password and also Facebook Login. So, now Facebook Dialog box appears and users can connect. I now receive the Facebook User Id and access token (short-life) on the client side (not the server side). How, now do I authenticate this user on my existing system and create a session?

If I use just the user id, this reveals a security issue (anyone can authenticate with a known user id and get a hijacked session). The short-lived access token is just that, short-lived. So that can't be used as an effective "password". So, what is the best way to securely authenticate someone on my existing login system if they've authenticated themselves via Facebook.

Thanks so much.

Ryan
  • 2,650
  • 3
  • 29
  • 43
  • 1
    having the same issue, pretty sure we are misunderstanding the login flow. Did you ever resolve this? – Horse Jan 06 '16 at 12:32

1 Answers1

1

Found another user with the same issue here. It was resolved by the following:

The Facebook login request returns user id + short lived access token (client side).

Use the server side Facebook SDK to check the validity of the access token (will return user_id and app_id fields if valid).

You can trust the user_id field returned from the Facebook API to check against your existing user database.

Community
  • 1
  • 1
James
  • 739
  • 7
  • 13