Support for server-side authentication validation

[derwaldgeist]

Detailed Description

We have watched the video about security on this page:

https://developers.facebook.com/docs/facebook-login/security

and would like to implement server-side validation as part of the authentication process, just as we did for Sign In With Apple.

However, we're surprised that we cannot find any APIs in the Unity SDK to actually support this level of security. The LogInWithReadPermissions() method directly responds with an authentication token instead of an authentication code, and there is no way (as far as we can tell) to request the latter. According to the video, this creates a high level of attack risk.

What we are looking for:

• A way to get an authentication code (instead of a token) to validate authentication on server-side and generate a token there
• Specify a "status" (nonce) on server-side that will be passed via the client to Facebook and later encoded in the server-side validation response to ensure the authentication request was initiated by the same client

In its current state, the whole process seems pretty insecure to us. If there is any other API we can use (or maybe we just have missed it in the documentation), please let us know.

Facebook SDK Version

8.1.0

Device models/OS versions

Any device

[kusaljr]

any updates on this?