Can I use Facebook OAuth to secure my RESTful web service?

Question

I'm writing a mobile phone app that allows users to register via Facebook. Once registered, users can then access personalised information via a RESTful web service I will host.

I've seen various mobile apps that appear to use a similar set-up but only present Facebook (or Twitter) OAuth authentication to their users. I'm wondering how this is done?

I thought that, to secure this web service, I could use HTTP Basic authentication over HTTPS with the user's Facebook OAuth access token as their password.

Is this secure? How do other apps handle security when they only register users via Facebook?

Answer 1

Apps that use this kind of a format generally do the following:

1. The app itself is a registered application with FB - meaning it has an App Key
2. When the user registers using FB - what's really happening is that they are giving permissions to the app, allowing it to see their data, post to their wall, etc (whatever permissions the app requests)
3. Once the user is logged in - the App can then request their information from FB, as long as it authenticates with the service using its App Key.

So - within your application, you'll generally store the user's FB ID, and when you're making requests for data (or requests to post to the wall, etc) - you submit your App Key + the user's FB ID, along with whatever action information you need to supply. The FB service then replies with the data you have permissions to see - or performs the action, so long as you have permission to perform it.

In a RESTful environment, the trick is that you are supposed to be fully stateless - meaning no sessions are tracked. This is fine, however - because your App already has its App Key - so all you need is the user's FB ID per request. Easy enough if you just insert the ID into a cookie - or manage it client-side. How's this work?

When you register your App with Facebook, you have to supply a URL on which you'll be hosting that App. This is primarily in order to support cross-site cookies and CORS requests. In other words: as long as your request is coming from a URL recognized by FB to be associated with your App Key, FB knows which user it is that's on your site - because it has full access to its own cookies.

So what does this mean to you in trying to use FB to OAuth enable your site?

It essentially means that FB becomes your log-in system. You are asserting the following:

"As long as FB says the user is who they say they are - I trust it, too."

So - when a user arrives at your site and clicks the "Log In using Facebook" button - your site will get back either a success or a failure. You can get more info about how to implement this, specifically, by looking at the Facebook Developers site, and specifically, the following references:

1. Facebook Login
2. API Reference > Login
3. The Login Dialog
4. Access Tokens and Types
5. Login Architecture

Once FB gives you back a token indicating success - you can assert that the person you get back info from via FB's API is the person using your site. So - if you store their FB ID in your database as your primary key, for example - you can now filter the results from your own API based on that value.

A round-trip might look something like:

1. Unauthenticated user arrives at your site
2. Redirect / provide a log-in button to authenticate with Facebook
3. Determine the user's now authenticated identity by hitting the FB Graph API
4. Your UI script now submits the FB ID received from Graph along with its requests to your API layer
5. Your API layer filters data based on the FB ID (associated with your User record) - and returns proper data

Hope this is helpful. If you have questions - please ask in comments, and I'll try to add more detail as I can.