Facebook login secure?

Question

I want to let people to log in with "Facebook login". but, I wonder if it is secure enough, or I'm just doing it wrong.

What I'm getting back after a successful login is the user data, with the facebook_id, which I'm inserting to the DB passed by a JavaScript reuest to the server via handler since I'm using asp.net.

But, what I think that by a malicious use, one can change that data. and insert rubbish to the server, or even insert different facebook_id.

So I wonder if the "Facebook login" is secure enough to use, or that I'm doing it wrong. I thought about other option to pass that client data to the server - by postback the server with a hidden runat=server textboxes but still, malicious use can change those textboxes. I've read here about the option to let the users add password to their Facebook username but it sounds a bit not user-friendly.

Am I right? is that a way to do it more secure? Is there any cookie that Facebook put on the client browser that I can read from the server? as though a lot of websites use this "Facebook login" there might be another way that I didnt think about...

Answer 1

Pass the access token up to the server (or check for it from the cookie Facebook sets) and then have the server call https://graph.facebook.com/me?access_token=... and get the Facebook ID that way. You can get the access_token by calling FB.getLoginStatus from the javascript sdk.

Answer 2

It is important to make an independent call from the server, especially if you are storing their facebook user id in a database or something. That way, you know whether or not it is valid.

First, after calling the FB.init function in the Facebook Javascript SDK, you want to get the user's access token and facebook user id via the Javascript SDK similar to this:

            FB.getLoginStatus(function (response)
            {
                if (response.status === 'connected')
                {
                    var token = response.authResponse.accessToken;
                    var facebookUserID = response.authResponse.userID;
                }
            });

Second, once you got a token and facebook user ID, you will want to pass those variables to your server. If you are using WCF or some other form of web service along with JSON.NET, you could create a method such as this:

        [WebInvokeAttribute(BodyStyle = WebMessageBodyStyle.WrappedRequest, RequestFormat = WebMessageFormat.Json, ResponseFormat = WebMessageFormat.Json)]
        [OperationContractAttribute]
        public Stream AuthenticateFacebook(string facebookUserId, string token)
        {
            var json = new WebClient().DownloadString(string.Format("https://graph.facebook.com/me?access_token={0}", token));

            JObject parsedJson = JObject.Parse(json);

            //Ensure that there isn't a random Facebook server error
            if (parsedJson["error"] != null)
            {
                throw new FaultException("Error parsing Facebook token.");
            }

            //Ensure the facebook user ID passed in via the client matches the one received from the server.
            if (Convert.ToString(parsedJson["id"]) != facebookUserId)
            {
                throw new FaultException("Facebook login ids do not match. Something fishy is going on...");
            }

            //Now you know you have a valid facebook login id. Do your database stuff or whatever else here.


        }

You now have validated that the user is who they say they are.

Answer 3

You can use oauth to transfer this operation to server side.

Have a look at this blog post:

http://you.arenot.me/2010/09/28/facebooks-graph-api-and-asp-net/