skip to Main Content

Facebook documentation states that

the App Secret or an App Access token should never be included in any
code that could be accessed by anyone other than a developer of the
app. This applies to all methods of code that are not secured like
client-side code (such as HTML or Javascript) or native apps (such as
iOS, Android or Windows desktop apps) that could be decompiled. https://developers.facebook.com/docs/facebook-login/security#appsecret

For this reason, if your ‘App Type’ under Advanced Settings in the App
Dashboard is set to Native/Desktop we assume that your native app
contains the App Secret or an App Access Token in the binary, and we
do not allow calls signed with an App Access Token to proceed. The API
will behave as though no access token was provided.

Therefore if you embed App Secret in your app and tell Facebook about it, it will simply stop working with OAuth (I have also tested this, when you check that option, Facebook stops validating the secret).

but Xamarin.Auth 1.3 (latest stable) requires clientSecret (in OAuth2Authenticator class clientSecret is the required parameter) and uses it to obtain Facebook access token when user successfully logs in.

So is it a bug, is there a workaround, or Xamarin.Auth is useless with Facebook for now?

2

Answers


  1. Let’s not confuse things. This has nothing to do with Xamarin.Auth.

    There are two major options for OAuth2:

    1. Implicit flow
    2. Authorization code flow

    The implicit flow does not require a client secret. The implicit flow is typically used with mobile apps, since they cannot keep a secret (you could disassemble the app binary and find the secret). Same goes with Javascript or desktop apps. The only way to protect the secret is if it is stored on a server which cannot be accessed by third parties (=the users).

    The authorization code flow uses the client secret as an additional protection, the secret identifies a specific party, like a server.

    So what does Facebook state? They say, if you configure your app to be a native/desktop app in Facebook’s dashboard, they assume (!) that you store the secret in the binary, because: where else would it go? As a consequence, the secret is no longer a real secret, hence the Facebook API acts as if the secret was not there.

    Two solutions:

    • Either you configure your app as not native/desktop (I don’t know which term Facebook uses, maybe “Server”)
    • or you use the implicit flow which was designed for mobile clients.

    And to answer your initial question: yes, Xamarin.Auth supports Facebook’s OAuth2, because it is just like any other OAuth2.

    Login or Signup to reply.
  2. OAuth2Authenticator contains multiple constructors and there is one that does not require ClientSecret:

    public OAuth2Authenticator (string clientId, string scope, Uri authorizeUrl, Uri redirectUrl, GetUsernameAsyncFunc getUsernameAsync = null)
    

    This one will allow OAuth2 Implicit flow and thus does not need a client secret to be stored within your application’s code.

    Ref: https://github.com/xamarin/Xamarin.Auth/blob/9c19d90e52994188def9e12e0bbc981a3943a752/src/Xamarin.Auth/OAuth2Authenticator.cs#L110

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search