I’m using expo-facebook for authentication and will will use the token + user ID to exchange for a token that can be used to access my apis.
One can use the Facebook API to validate a token: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#checktoken
However, this requires that you know the app secret. I assume this isn’t shared for the Expo Facebook App that expo-facebook uses.
The expo api for expo-facebook mentions a signedRequest, but this isn’t actually provided and even if it was you’d still require the secret.
So how is one supposed know if the token is a valid one?
I tried looking into expo-app-auth as a way to use Facebook that would allow me to continue to use the expo client. But there doesn’t seem to be any working examples of that.
Would love to here what you do?
I found this similar question but it has no answers (to the actual question) Signed request string of Expo.Facebook.logInWithReadPermissionsAsync
I’m not sure if the following topic explains what you mean.
If you want to verify the fbToken server side, you server should first (A) get an access token specifying appId and appSecret, then with the access_token received you can verify (B) the fb Token got from the logInWithReadPermissionsAsync in expo-facebook
When I try the A request (my data are removed for privacy)
curl --location --request GET ‘https://graph.facebook.com/oauth/access_token?client_id=XXXXXXXXXXx&client_secret=YYYYYYYYYY&grant_type=client_credentials&redirect_uri’
–header ‘Content-Type: application/json’
it does return the access_token, but grant_type accepts also “authorization_code”, it is still unclear how to get the authorization_code then
Hope it helps
Yeah, this is the approach that I link to in my question. Pretty straight forward¸however, the facebook is locked to the expo’s facebook app, not mine. So I don’t have the secret and therefore cannot use that solution.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.