Authentication fails when using it from Android or iOS SDK on client side

[asmatameem]

From the mobile SDK, we pass the access_token instead of signed_request. Also there would not be any cookies set when making the request from mobile SDK.

Our server API serves both the webapp and mobile app. It works well with the webapp, however because of sending access token and no cookies set from mobile, the facebook login fails.

How do we make it work?

[asmatameem]

Any suggestions on this?

[felipekk]

@asmatameem I've noticed you are testing this functionality in your fork. Does it work as expected?
@mkdynamic Can you give an insight on a strategy/path to implement this?

Edit: continuing with the research, there's issue #160 that mentions CVE-2013-4593. There's two ways of protecting against the security vulnerability:

1. Using HTTPS/SSL for all the communication between the mobile client and the app server
2. Verifying that the auth_token provided by the client is for the correct Facebook application

More information can be found here: https://developers.facebook.com/docs/facebook-login/access-tokens#authClientServer

Edit 2: I was able to get https://github.com/SoapSeller/omniauth-facebook-access-token to work, seems to handle the case

[simi]

see https://github.com/mkdynamic/omniauth-facebook/wiki/Access-token-vulnerability:-CVE-2013-4593

[asmatameem]

@felipekk - Yes it works well for me using my forked branch.

[felipekk]

@simi I had already mentioned the CVE that you linked. Even Facebook's documentation say that you can do it. Other implementations perform the check to ensure that the token received is for the right application.

[simi]

let me test it @felipekk

Can you provide me links where other implementations do that?

[felipekk]

Here's a fork of omniauth-facebook that implemented something:
https://github.com/asmatameem/omniauth-facebook

And then there's this guy who implemented another strategy that acts as a layer before omniauth-facebook, accepting the auth_token:
https://github.com/SoapSeller/omniauth-facebook-access-token

[simi]

The reason to remove code from https://github.com/asmatameem/omniauth-facebook is 115c0a7 (related to that CVE).

https://github.com/SoapSeller/omniauth-facebook-access-token uses similar code.

But as I said, I'll take a look at this again, if there is not some secure way how to achieve this.

[felipekk]

Thanks @simi
I believe this is the bit that adds the security (at least related to the CVE):

https://github.com/SoapSeller/omniauth-facebook-access-token/blob/master/lib/omniauth/strategies/facebook-access-token.rb#L89-L93

[simi]

hmm, that's looks good @felipekk

I try to review security again for this and I try to add PR.