Languages

Menu
Sites
Language
Facebook integration, once again

Hello again,

I remain very frustrated attempting to do Facebook integration from a Tizen HTML application. Let's recapitulate:

  • We cannot use Facebook's JS SDK, because apps are installed under the file:// protocol , and so there is no referrer on the API requests, a situation that is explicitly and intentionally unsupported by Facebook.
  • The previous recommend workaround involved implementing the REST API which has been deprecated for many years now, and to which new applications don't get access.

The current recommended URL-monitoring workaround, at https://developer.tizen.org/documentation/articles/facebook-app-tizen, does work... but unless I'm missing something obvious, it's incredibly insecure and I don't think anyone should be using it. The problem is that after acquiring a temporary access code through dialog/oauth, it relies on the access_token graph API call which requires the Facebook app secret embedded directly into the URL.

That app secret is the master password for all Facebook functionality related to the app, and should absolutely not be embedded client-side. This is especially true for HTML5/JavaScript code, where it's not even easily obfuscated, but is going to just sit there right in the source code for anyone with a browser to find.

Here's what Facebook says about this API call, at https://developers.facebook.com/docs/facebook-login/access-tokens/:

Note that because this request uses your app secret, it must never be made in client-side code or in an app binary that could be decompiled. It is important that your app secret is never shared with anyone. Therefore, this API call should only be made using server-side code.

Offhand I can only think of two ways Facebook integration can be accomplished in a Tizen HTML app with any ease:
  • Host a page somewhere else that loads the Facebook JS SDK, include that page in an iframe, and implement some kind of postMessage()-based bridge to the app. This may or may not work, but it's ridiculously cumbersome and kludgy.
  • Write some server-side code to implement parts of the Facebook login flow (at a minimum, the access_token call above) without having to indirectly publish our secure credentials.

Neither of these are attractive to me. Is there a path I'm missing? Grateful for any help, and any thoughts on the above.

Zell

 

Edited by: Pär Winzell on 27 Jan, 2014
List

Responses

4 Replies
Lakshmi Grandhi

Hi,

With the scope of API's provided by facebook developers, you can opt for second option.

Pär Winzell

Okay, thanks. I figured that was probably the case, but wanted to check if there had been any updates.

I would humbly suggest tweaking the document in question so it doesn't recommend embedding the app secret in the client.

Zell

 

Marco Buettner
I think in Tizen 3.0 we get more rights on the WebView, so currently its not dramatic case because Tizen isnt released yet.
Pär Winzell

Marco,

Thanks, that's interesting. I'll keep an eye out for that, and release without Facebook integration for now.

Zell