REST API for website which uses Facebook for authentication

by

UPDATE: see below

I’ve been thinking hard about this question too. It’s not entirely clear to me yet but here’s the route I am thinking of going. I am creating a REST API an my users only auth with Facebook connect.

On the CLIENT:

  1. Use the Facebook API to login and get an OAUTH2 code.
  2. Exchange this code for an access token.
  3. In every call to my custom API I’ll include the Facebook user id and the access token.

On the API (for every method that requires user authentication):

  1. Make a request to the /me Facebook graph using the access token from above.
  2. Verify that the Facebook user id returned matches the user id passed to my API from above.
  3. If the access token has expired additional communication is required.

I have yet to test this. How does it sound?

— Update: July 27th, 2014 to answer question —

I only use the above exchange once upon login. Once I determine which user is logging in, I create my own access token, and that token is used from that point going forward. So the new flow looks like this…

On the CLIENT:

  1. Use the Facebook API to login and get an OAUTH2 code.
  2. Exchange this code for an access token.
  3. Request an access token from my API, including the Facebook token as a parameter

On the API

  1. Receive access token request.
  2. Make a request to the /me Facebook graph using the facebook access token
  3. Verify that the Facebook user exists and match to a user in my database
  4. Create my own access token, save it and return it to the client to be used from this point forward

More Related Contents:

  1. Is it possible to check if an email is confirmed on Facebook?
  2. Given URL is not allowed by the Application configuration Facebook application error
  3. Facebook login “given URL not allowed by application configuration”
  4. Given URL is not allowed by the Application configuration
  5. Is Facebook an OpenID provider?
  6. Get public page statuses using Facebook Graph API without Access Token
  7. Facebook iframe tab signed request always empty
  8. Facebook Graph API v2.0+ – /me/friends returns empty, or only friends who also use my application
  9. Facebook Callback appends ‘#_=_’ to Return URL
  10. Warning: Each child in an array or iterator should have a unique “key” prop. Check the render method of `ListView`
  11. Security of REST authentication schemes
  12. Facebook Graph Api – Posting to Fan Page as an Admin
  13. How do you post to the wall on a facebook page (not profile)
  14. Fetching list of friends in Graph API or FQL – Appears to be missing some friends
  15. Facebook access token server-side validation for iPhone app
  16. Get user profile picture by Id
  17. Where can I find my Facebook application id and secret key?
  18. Liking a page on behalf of a user?
  19. Generate “never-expire” access token for Facebook Page
  20. ASP.NET Web API and Identity with Facebook login
  21. Facebook API – How to get user’s address, phone #?
  22. How to show particular image as thumbnail while implementing share on Facebook?
  23. Do Facebook Oauth 2.0 Access Tokens Expire?
  24. How to check if user is logged in with FB SDK 4.0 for Android?
  25. How to subscribe to real-time updates for a Facebook page’s wall
  26. Spring Social Authentication Filter for Stateless REST Endpoints which use Facebook Token for authentication
  27. What is the length of the access_token in Facebook OAuth2?
  28. Loading Iframe Facebook (Load denied by X-Frame-Options)
  29. How to display my photo albums and photos that are in FB on my own website
  30. How to get Likes Count when searching Facebook Graph API with search=xxx

Leave a Comment