Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to get the authorization code on react native for the Facebook strategy #82

Open
JackShannon opened this issue Mar 5, 2021 · 1 comment
Open

How to get the authorization code on react native for the Facebook strategy #82

JackShannon opened this issue Mar 5, 2021 · 1 comment

Comments

@JackShannon
Copy link

JackShannon commented Mar 5, 2021
edited
Loading

I'm sorry, I know that this is not really directly related to assent.

The Facebook strategy requires an authorization code for the callback.

In this issue you say that "The Facebook strategy docs now highlights how to fetch the code client side to submit server side".

#34 (comment)

Our problem is that we are using https://github.com/facebook/react-native-fbsdk to implement the frontend facebook auth in react native. So we I don't think we can use the JS sdk to get the signed request and get the authorization code.

Please could you point me in the right direction on how to get the code from the accessToken in this situation?
@LukasKnuth
Copy link

I know this is a few years old but it can be hard to gauge how to do this with Assent.

It is my understanding that the Facebook Login SDK do not give you access to the Authorization Code. Instead, they return an Access Token directly. You can work with this:

def token_flow(access_token, _opts) do
  config = Keyword.merge(Facebook.default_config([]), strategy_config())
  token = %{"access_token" => access_token}
  with {:ok, user} <- Facebook.fetch_user(config, token) do
    config
    |> Facebook.normalize(user)
    |> extract_relevant()
  end
end

Note on security:

The access_token is opaque and can't be inspected by the server to verify if it was
actually created for the same Facebook Login App. Imagine the following attack scenario:

  • A malicious actor sets up their own legit website "Cool Game" with Facebook Login
  • A user of your "Jacks App" logs in on "Cool Game" using their Facebook account
  • The malicious actor now has a valid access_token for that user
  • The malicious actor sends the access_token meant for "Cool Game" to "Jacks App"
  • They are logged in as the "Jacks App" user who actually just logged into "Cool Game"

There are two ways to prevent this attack on Facebook:

Assent always sends the appsecret_proof parameter with the
fetch_user/2 request. In the scenario above, the request to "Jacks App" fails because the
access_token that the malicious actor aquired is not linked to the same Facebook
Login Application than the secret the "Jacks App" server uses to generate the
appsecret_proof parameter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LukasKnuth @JackShannon