Reply To: User token

[chrisburton]

Are you still working on this?

I was but I have to quit to focus more on my classes as the new semester started today. Perhaps during spring break or this summer. It really depends when I have the time.

I’ve done a bit of reading, but I’m not certain about what the “token” actually is. Is it user-specific? response-specific?

User Access Token – The user token is the most commonly used type of token. This kind of access token is needed any time the app calls an API to read, modify or write a specific person’s Facebook data on their behalf. User access tokens are generally obtained via a login dialog and require a person to permit your app to obtain one. – Facebook Docs

The token changes each time the user logs in (I tested this). I assume this is for security reasons. Maybe I do need this if I want to keep them logged in by storing it in session.

But what if they’re logged out (for whatever reason), I already have their credentials stored in a database and they want to log back in?

Well, the whole point of OpAuth is that the user doesn’t log in with you; they log in with someone else. Now, if the “token” you refer to is user-specific (doesn’t change), then when a user logs in again you could use it to recognize them (and use the existing user info, instead of creating a “new” account).

The way I was thinking about the token was that if the token always changed for each login process or every time I need to read from the API, how could I verify it belongs to that person? Would I have to constantly update the database? That is what I am having a hard time with.

Edit: I think this helps me understand a little better on the whole purpose of the token. It’s exactly why I need it.