Application> OAuth2 Server> Facebook> OAuth2 Server> Application

So I have a single page app.

Normal stream:

Application -> OAuth2 Server -> Application

We have our own OAuth2 server so people can log into the application and get the access_token associated with the User object.

Our special stream.

We also have this custom endpoint / oauth 2 / vendor / facebook / auth? client_id = Xredirect_uri =

Application [1] → OAuth2 Server [2] → Facebook [3] → OAuth2 Server [4] → Application [5]

[2]: We redirect redirect_uri and pass it as a custom parameter to facebook, so we can redirect to later ..


We redirect the client to facebook to authenticate and use the app.


  • Facebook redirects to oauth server, we get the code.
  • We request access_token, get access_token. This all happens behind the scenes with CURL.
  • We request our own API (internal API call to localhost) with a special grant type (we call it for the oauth2 spec), this. This is done with client privacy and happens behind the scenes with CURL.
  • We are redirecting the original redirect_uri originally provided.

Is this an applicable way to authenticate with facebook?

We know that it can be done differently, for example. The browser first asks for the facebook token and then the browser asks for the access_token, which finally goes to our own oauth2 endpoint to further validate and process that two requests for the client, which I find quite slow and cumbersome to me. Or that?


source to share

1 answer

Yes, this is an acceptable way. This is an example of what is called "federation".

Federation is of course best known for its implementation in WS-Federation . But you can do it with OAuth too, even if the way it is done is not standardized. This has been done previously, for example in Identity Node .

Just a few notes:

In step 4, you exchange the Facebook code for the access token and the refresh token. Then you need to make an additional call to Facebook to get the user profile (or at least their user ID). You will need this so that when the user comes back later, you know they are the same user. If you plan to use the Facebook API later (for example, to check for an updated profile), you need to save the access token and update the token on your authorization server associated with your Facebook user ID.

In other words, you need to have some kind of internal mechanism that maps your Facebook user ID to your own internal user ID. If you are using Facebook solely for authentication, your Facebook user ID and your internal user ID may be the same. You can use an internal mapping table, or you can prefix your Facebook user id for example. "Facebook:". This is similar to what WS-Federation calls the original issuer.

Then you say

We request our own API (internal API call for localhost) with a special type of grant (we call it for the oauth2 spec), this. This is done with client privacy and happens behind the scenes with CURL.

This sounds strange to me. First of all, you are already on the authorization server. Surely you can call an inner function without having to go through the HTTP stack? It would be much more efficient. Also, always avoid secret internal HTTP (S) endpoints for security reasons. Not only are they not required, but they also increase the attack surface, and you need to spend time protecting them.



All Articles