0

Possible Duplicate:
Isn’t OAuth, OpenID, Facebook Connect, and others crazy from a security standpoint?

I have some real concerns about how to use facebook login for my wabb-app. I have a standard registration and login process through https with email(including validation link)+password. However, I want to let people use facebook to login and register with my app, and since facebook e-mail is already validated, I don't even need to validate it.

I use the javascritp JDK for the login, which is the simplest way to integrate according to facebook and should be used for webb-apps. However this only certifies my user is logged in client side, I don't see how I can trust my client when he says he is correctly logged into facebook with X user and I hand him back the confidential data.

I have found a workaround for this issue as explained in this question, but have no true answer, and I would really like for an expert to explain why it seems so awkward to use facebook connect and if I'm truly understanding it right.

Thank you so much.

Community
  • 1
Daren
  • 290
  • 1
  • 2
  • 8
  • I think you need to research the oath protocol, and the concepts of federated logon more deeply. Take a look at http://security.stackexchange.com/q/13803/13909, http://security.stackexchange.com/q/4032/13909 – MCW Dec 21 '12 at 13:28
  • @Daren, welcome to [security.se]. Check out the linked duplicate question - if you still have additional questions, please ask again! – AviD Dec 21 '12 at 13:34
  • WTF! I don't see how my question is identical to a debate over the advantages of OAuth protocols... I'm asking if I'm missing something about the implementation of facebook login from my app viewpoint... I asked this in security.stackexchange.com since nobody seemed to be able to anwser the same question on stackoverflow... – Daren Dec 21 '12 at 13:59
  • @Daren: The answer to your question is that you need to use OAuth on the server. See the duplicate for details. – SLaks Dec 24 '12 at 21:12
  • @SLaks: Yeah, that's what I ended up doing, facebook just got it wrong recommending the javascript SDK for webb-apps... the moment you have user info in your own server, you need server-side login. Thanks. – Daren Jan 24 '13 at 09:54
  • 1
    @Daren: Facebook is recommending the Javascript SDK for client-side webapps – SLaks Jan 25 '13 at 14:09

0 Answers0