Hello, On Tue, Feb 25, 2014 at 3:07 PM, Tom Chiverton <t...@extravision.com> wrote:
> On 25/02/2014 13:44, Alexander Farber wrote: > >> And there was no way to store the OAuth "app secret" string on the server. >> And thus I know that my app is vulnerable (for impersonation of other >> users) and the ease of AIR decompilation doesn't help there. >> >> > Are you are using 'login with Facebook' or something in your app then ? By > loading a browser frame from the AIR app etc. ? > > I am talking about the "client_secret" string described at https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/ Exchanging code for an access token To get an access token, make an HTTP GET request to the following OAuth endpoint: GET https://graph.facebook.com/oauth/access_token? client_id={app-id} &redirect_uri={redirect-uri} &client_secret={app-secret} &code={code-parameter} You can't put that string on a server, you must hardcode it in the app. Regards Alex