The right way to implement Facebook login for your app

Taylor Hughes is a co-founder at Cluster, which builds web and mobile apps that enable users to create private sharing environments for groups, travelers, classrooms, and more.

Logging in with Facebook theoretically solves a lot of problems for app developers. But it’s not overly clear the best way to go about it, and many examples on the web advocate the wrong strategy.

Here’s what we’ve learned integrating Login with Facebook in Cluster.

Use your own long-lived session tokens

Facebook sessions get invalidated all the time. The Facebook SDK can provide your app with an invalid session token due to cached data at the SDK or system level; auth tokens expire due to user behavior like resetting passwords or manually invalidating apps under the user’s settings.

So, after signup, your app should not assume you can ever get another valid token from the Facebook SDK. In some cases, if you want to keep the session alive, you might have to prompt the user to authenticate with Facebook again.

To avoid a critical mistake I made, here’s the most important thing: Don’t ever block your app’s startup on third-party authentication.

Instead, you should implement your own session token strategy, and it should probably be made to resemble OAuth2. Rather than extending sessions by passing the original credentials to the backend, you should ask your backend for a new token using a separate refresh token.

As a result, authentication flows with Facebook, Google, et al, should look something like this:

1. User hits “Login with Facebook”
2. Facebook SDK talks to Facebook backend to get a token
3. Your client gives your backend the token
4. Your backend validates the token against Facebook’s servers
5. Your backend issues a new authentication or session token
6. Your client saves your backend’s auth token: Now you’re logged in and can talk to your own servers forever, or at least in a way you understand.

Next we can talk about how to keep the Facebook session alive in the client as long as possible.

Persisting Facebook “connectedness” across logins and devices

Once a user signs in with Facebook, she might sign in with another service under the same email address. Or a different user might “Connect” his account to Facebook later, which should associate his Facebook session with his user account in the backend.

But when these guys sign in on another device, or if they sign out and sign back in (without tapping “Login with Facebook”), the Facebook SDK in the client might not know about their Facebook sessions anymore.

Additionally, the only way to keep sessions alive is to refresh them in the client; there’s no facility for doing this on the server.

So, to wire the session back up, when a user who has logged in with Facebook (or connected his or her Facebook account) logs back in, your app should do the following:

1. Load any recent third-party sign-in tokens from your backend
2. Re-create the Facebook/Google login sessions and issue a request
3. Check the auth token. If it has changed, save the new token to your backend to keep the session alive.

You can replicate this behavior on Android and the web so that when a user signs into a different client, you can silently keep them connected.

Code for re-inflating Facebook sessions on iOS

Many Bothans died to bring us this information. It’s very difficult to find documentation around this.

So here’s a brief snippet of code from our iOS client that shows how this is done.

Good luck!

Thanks for reading this! Any thoughts? If you enjoyed this article, I would really appreciate you hitting the recommend button below. Connect with me on Twitter @taylorhughes with any comments or thoughts.