Facebook login plugin with server side access to users data

Question

I have got few things to work eg Using -

 FB.login(function(response) {
   if (response.authResponse) {
     console.log('Welcome!  Fetching your information.... ');
     FB.api('/me', function(response) {
       console.log('Good to see you, ' + response.name + '.');
     });
   } else {
     console.log('User cancelled login or did not fully authorize.');
   }
 });

I am able to get all the details of the user, name, User ID etc.

My Problem is how to take all this information to the server "safely". I don't want this information to be sniffed on its way to server. I use JAVA(Servet/JSP) language, PLEASE HELP ME ON THIS. I wish there was some way like registration plugin where Facebook sends all the information on a redirect_url link.

Regards, Jagpreet Singh

---

EDIT: If anybody requires the Java Code -

    // it is important to enable url-safe mode for Base64 encoder
    Base64 base64 = new Base64(true);

    // split request into signature and data
    String[] signedRequest = request.getParameter("signed_request").split("\\.", 2);

    logger.info("Received signed_request = " + Arrays.toString(signedRequest));

    // parse signature
    String sig = new String(base64.decode(signedRequest[0].getBytes("UTF-8")));

    // parse data and convert to JSON object
    JSONObject data = (JSONObject) JSONSerializer.toJSON(new String(base64.decode(signedRequest[1].getBytes("UTF-8"))));

    logger.warn("JSON Value = " + data);

    // check signature algorithm
    if (!"HMAC-SHA256".equals(data.getString("algorithm"))) {
        // unknown algorithm is used
        logger.error("HMAC-SHA256 Algo? = false, returning ERROR");
        return ERROR;
    } else {
        logger.error("HMAC-SHA256 Algo? = true, Checking if data is signed correctly...");
    }

    // check if data is signed correctly
    if (!hmacSHA256(signedRequest[1], fbSecretKey).equals(sig)) {
        // signature is not correct, possibly the data was tampered with
        logger.warn("DATA signed correctly? = false, returning ERROR");
        return ERROR;
    } else {
        logger.warn("DATA signed correctly? = true, checking if user has authorized the APP...");
    }

    // check if user authorized the APP (FACEBOOK User)
    if (!data.has("user_id") || !data.has("oauth_token")) {
        // this is guest, create authorization url that will be passed
        // to javascript
        // note that redirect_uri (page the user will be forwarded to
        // after authorization) is set to fbCanvasUrl
        logger.warn("User has authorized the APP? = false, returning ERROR");
        return ERROR;
    } else {
        logger.warn("User has authorized the APP? = true, Performing User Registration...");

        // this is authorized user, get their info from Graph API using
        // received access token

        // String accessToken = data.getString("oauth_token");
        // FacebookClient facebookClient = new
        // DefaultFacebookClient(accessToken);
        // User user = facebookClient.fetchObject("me", User.class);
    }

Answer 1

Facebook sends a signed_request parameter when you authenticate with a client-side method. You can pass this to your server, authenticate it, and then unpack it to get at the information you need. It is encrypted with your app secret, so you can be sure that it is secure.

See the signed_request documentation for more information.