my company is developing a system that works as follows:
there is an iphone/mobile app and a php server that offers rest services.
in the mobile app,the user can register/login in 2 ways:
while the point 1. is quite clear, i am in difficulty with the point number 2:
from what i understand , the sequence should be something like the following:
1 - the app sends to fb user data, and fb in some way that i don't care authenticate the user and answer with "ok, it's you". 2- the app must now request to the php server some user data.
how can i authenticate the communication between the server and the app, after the user has logged with fb in the app ?
i can't just ask "send me the data of the user fbid" because with a simple request that could be retrieved by anyone.
That's why you use the "secret key" (part of facebook settings).
When a user logs in via your app, they give approval to share info with your app and get given a token - the token is a session id. That session Id can only be used by that user, from that phone with your app - unless you have the "secret key".
The phone then passes that session ID to the server.
The server then passes the token, along with the secret key, and facebook gives the server back the same information as it would the user on the phone. That's how it authenticates.
Anyone else (other than the user on the phone) not having the secret key, and the token is useless.