What security threats does the access_token for Facebook Graph API pose?

Question

I have made a custom ajax script to parse the JSON returned from the facebook graph API feed.

I have come to terms with the fact that the access token expires, so in order to get another one I can make a request to

https://graph.facebook.com/oauth/access_token?grant_type=client_credentials&client_id=APP_ID&client_secret=APP_SECURITY 

where APP_ID is the app id and APP_SECURITY is the app security values registered with my facebook app development account.

However I'm worried, because I'm making these requests via ajax, therefore anybody with basic chrome/firebug knowledge could access my app_id, app_security and access_token variables (from now on known as 'The Variables') held within my javascript file.

I am unsure as to what users can do this this kind of information?

Does the access token provide purely a read-only JSON output of my facebook page? Or can this information be used for more malicious purposes?

Now: before anybody replies saying that I should use php to get fetch the JSON and parse etc... I cannot, because the customer requirement is to use ajax, for the obvious asynchronous benefits.

If the variables pose no threat to my facebook account and can be only used for read only purposes, then I'll get on with my programming!

If however they must be kept secure... How can I securely pass the variables to javascript in order to keep the variable hidden?

PS. I already have pre-written php scripts to attain the variables. Just after a method to keep them secure when passing to the javascript (if necessary)

Thanks

Alex

Answer 1

As Commented, Never Display APP_ID and APP_SECRET publicly.

Read This . You will find out a way to automatically find your access token using php.

Using this php file, make an ajax call to it, and it will return your new access token.