I'm developing for Android and currently use facebook-android-sdk for authentication.
From what I can see there is no use of the app secret in that code which is great.
Now that Facebook are going to remove the offline_access permission I need to extend the access token. Unfortunately the sdk's extendAccessToken method isn't stand alone and requires the official Facebook application to be installed which is unacceptable for me.
So I decided to implement extendAccessToken directly (similar to the iphone sdk implementation).
The problem is the HTTP request for extending an access token requires the client_secret field which means I need to put the app secret in the code itself. This doesn't feel safe at all for an Android/Java application that can be reverse engineered easily.
Are there any alternatives?
Why not host the code for doing this on your own server, and have the client extend the token via a call to your server?
So here's what I've discovered so far about Android/iOS sdks in regards to generating/extending tokens.
I've found 2 methods to generate the tokens client side with the SDK's and 3 methods to extend the tokens.
Generating:
1) Facebook app. Produces a SSO token
2) Web browser(iOS)/web dialog(Android/BB). Produces a SSO token on iOS and non-SSO token on Android/BB
These tokens are all long term tokens.
Extending:
1) iOS/Android app. In the Android case only if the user is signed into the app, otherwise the call to the bound service never returns anything, not even an error. Haven't tested iOS for that scenario.
2) auth.extendSSOAccessToken. This is the endpoint for the old API which, as far as I can tell, the iOS SDK still uses if the official app isn't present. Now if you use this endpoint on a token that wasn't generated with SSO (Android popup dialog) you get an error code 10 with a msg telling you the token wasn't generated with SSO. This might lead you to suspect that it could work as long as your token was generated via SSO. Your suspicion would be wrong, it gives you an error code 100 with a msg of "Access token for the Facebook application not supplied". This leaves this method completely useless on Android as far as I can tell.
3) oauth/access_token. This is the endpoint that FB tells us to use in their roadmap. Of course this method a) exposes your APP_SECRET (which FB strongly suggests not to) via apk decompilation/unpackaging and b) only works for extending short term tokens into long term tokens. So if you're starting off with a long term token, which is the default returned when on Android/iOS, you need to generate a short term token first and then extend it with this method client side (unsafe) or server side (not for everyone). How do you generate a short term token from a long term token? Wish I knew =(.
So far haven't been able find any ideas for accomplishing this anywhere. If anyone does know, Please Share!
This would at least give the people with servers a safe method for extending long term tokens.