When I use Facebook's JS SDK to authenticate my app (using FB.init method) all I need is my App ID. It does not require my app secret and/or app key. However when I used PHP SDK, it required my app secret (atleast the example I used to learn used the app ID and app secret both).
Is it secure and remended to use the JS SDK for authentication ? How really does the authentication flow happen with the JS SDK ?
Thanks, Vineet
When I use Facebook's JS SDK to authenticate my app (using FB.init method) all I need is my App ID. It does not require my app secret and/or app key. However when I used PHP SDK, it required my app secret (atleast the example I used to learn used the app ID and app secret both).
Is it secure and remended to use the JS SDK for authentication ? How really does the authentication flow happen with the JS SDK ?
Thanks, Vineet
Share Improve this question edited Jul 20, 2012 at 5:18 Rajat Gupta 26.6k65 gold badges187 silver badges298 bronze badges asked Feb 17, 2011 at 11:40 foriequals0foriequals0 1812 silver badges6 bronze badges 2- 3 Using your app secret in a JS file would allow users to see it in plain text, and that would be a security breach for your app. – Gabriel S. Commented Feb 17, 2011 at 11:43
- Does anything changed past years with FB SDKs ? PHP SDK needs app-id + access-token + secret-key to make requests for user's data. JS SDK just needs app-id + access-token. How FB knows, that JS request is really made from my page without secret-key? Or why PHP SDK isn't working the same way as JS SDK (so without secret-key)? – user775175 Commented Oct 16, 2015 at 7:01
3 Answers
Reset to default 3I'm looking into how secure the authentication is also - I think things have changed since you asked this q, so perhaps this information was not correct when you asked.
The new version of the JS SDK uses OAuth 2.0. This is well documented - check out the OAuth 2.0 site for details.
Regarding the issue of whether the SDK needs the app secret - I'm having a little bit of confusion relating to this. On the app server side, the libraries indicate that the JS SDK signs the cookies using the app secret (see the function get_user_from_cookie in the facebook-python sdk) - however, it's pletely unclear to me how the JS SDK can know the app secret. I'm guessing that it can obtain it dynamically from FB when it talks to FB directly in the authentication process, but I'm not sure.
(Edit: I think that the JS SDK gets the cookie signed with the app secret directly from FB - the JS SDK never knows the app secret).
Not fully answering your q, but perhaps shedding a little more light on how this works.
Another issue to be wary of is not to use the FB user object you get from the client for anything on the server side. This is because it would be really easy for someone make a script which instead of calling fb.api '/me' would send a "fake" JSON user object with another users ID to your app. If you're doing any kind of server side processing of the user then you really need to do some kind of server side authentication as well I think.
It's NOT safe, this is why you have the "Verify Fields" and "Not Verifying the Signature" paragraphs in the Advanced Registration document:
When you request facebook data, we verify the form fields before packaging them up in the
signed_request. This lets you assume that all the data is genuine and saves you from having to verify things. The one problem that could arise, is a smart attacker could change the form fields and submit them to you, thereby giving you unverified data.
Read that document for more information, I've also wrote a tutorial (an introduction about the plugin) and showed how to handle the fields attribute ing from client-side.