I'm writing this post after some frustration using Facebook's Registration social plugin. The plugin is great, no issues at all, the problem is in the verification of the 'signed_request'-query parameter in the response from Facebook. The documentation is not very clarifying and the only code-example is in PHP and there are som differences.
Some pointers:
- The signed_request is encoded using Base64Url-encoding, not plain Base64-encoding.
- The signed_request contains two parts (divided by a '.'), the first is the signature and the other is the JSON-payload.
- The signature must be verified
The Java-code to verify the signature looks like this
public static boolean verifySignedRequest(String signedRequest, String appSecret){ try { String[] split = signedRequest.split("\\."); Base64 base64 = new Base64(true); // URL-mode String encodedSignature = split[0]; String encodedPayload = split[1]; String SIGN_ALGORITHM = "HMACSHA256"; Mac mac = Mac.getInstance(SIGN_ALGORITHM); SecretKeySpec secretKeySpec = new SecretKeySpec(appSecret.getBytes(), mac.getAlgorithm()); mac.init(secretKeySpec); byte[] mysig = mac.doFinal(encodedPayload.getBytes()); return Arrays.equals(mysig, base64.decode(encodedSignature)); } catch (InvalidKeyException e) { // Ignore } catch (NoSuchAlgorithmException e) { // Ignore } return false; }
Some comments about the code:
- The Base64 class is the Jakarta Commons Base64 implementation, in urlSafe-mode
- 'mysig' is generated using the Facebook App Secret for your Facebook Application and the Base64Url-encoded JSON-payload, NOT the decoded version (as I thought...)
- It should work :-)
Hope this helps!
Inga kommentarer:
Skicka en kommentar