How does Login with Facebook iOS and Android SDK use the app secret?

What happens if I enabled "Require App Secret" for my facebook application? How will the Mobile SDK's that are downloaded from Facebook be affected by this?

I've read in Facebook Security documentation that you shouldn't put the App Secret in your client side. So if that's the case, why does facebook documentation show that you can complete the login flow by only doing everything client side?

1 answer

  • answered 2021-07-27 19:07 Gary Archer

    A mobile app cannot properly keep a secret since there are ways of decompiling code or intercepting HTTP messages to discover it.

    The standard AppAuth pattern is preferred, which uses Authorization Code Flow (PKCE) - see this Curity article for some details.

    The preferred option is for a company's mobile app to authenticate via the company's Authorization Server, using the AppAuth pattern, providing these benefits:

    • Many authentication methods can be added without code changes - including Facebook - and if it requires a client secret this will be managed server side

    • Tokens issued will be useful to your company's APIs, and can provide custom claims - this will not be possible if you use tokens issued by Facebook

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum