golang Facebook authentication using golang.org/x/oauth2

Question

I am trying to write a simple program using the golang.org/x/oauth2 package. But I can't seem to exchange code for an access token. The following error is a bit misleading as it says the authorisation code has been used but I see a new code every time I invoke the login dialog. I am new to golang and I might be making a basic mistake, any pointers would be really helpful :)

    clientOptions, err = oauth2.New(
        oauth2.Client("xxxxxx", "22222222222222"),
        oauth2.RedirectURL("http://localhost:3000/auth/cb/fb2"),
        oauth2.Scope("public_profile", "email", "user_friends"),
        oauth2.Endpoint(
            "https://www.facebook.com/dialog/oauth",
            "https://graph.facebook.com/oauth/access_token",
        ),
    )

func handleFBSetupOauth(w http.ResponseWriter, r *http.Request) {
    url := clientOptions.AuthCodeURL("state", "online", "auto")
    fmt.Printf("Visit the URL for the auth dialog: %v", url)

    http.Redirect(w, r, url, http.StatusFound)
}

func handleFBOauthCB(w http.ResponseWriter, r *http.Request) (int, string) {
    var err error

    code := r.FormValue("code")
    if code == "" {
        return 500, "No code!"
    }

    fmt.Printf("code - %s", code)

    t, err := clientOptions.NewTransportFromCode(code)
    if err != nil {
        log.Fatal(err)
    }

    client := http.Client{Transport: t}

    url := "https://graph.facebook.com/oauth/access_token?client_id=xxxxxxx&redirect_uri=http://localhost:3000/auth/cb/fb2&client_secret=22222222&code=" + code + ""

    resp, err := client.Get(url)

I get the following error from the last get request -

{"error":{"message":"This authorization code has been used.","type":"OAuthException","code":100}}

I am following these 2 guides - Facebook login flow - https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2

Latest goauth doc - https://godoc.org/golang.org/x/oauth2

Answer 1

Here is a simple example to get you started:

package main

import (
  "fmt"
  "io/ioutil"
  "log"
  "net/http"
  "net/url"
  "strings"

  "golang.org/x/oauth2"
  "golang.org/x/oauth2/facebook"
)

var (
  oauthConf = &oauth2.Config{
    ClientID:     "YOUR_CLIENT_ID",
    ClientSecret: "YOUR_CLIENT_SECRET",
    RedirectURL:  "YOUR_REDIRECT_URL_CALLBACK",
    Scopes:       []string{"public_profile"},
    Endpoint:     facebook.Endpoint,
  }
  oauthStateString = "thisshouldberandom"
)

const htmlIndex = `<html><body>
Logged in with <a href="/login">facebook</a>
</body></html>
`

func handleMain(w http.ResponseWriter, r *http.Request) {
  w.Header().Set("Content-Type", "text/html; charset=utf-8")
  w.WriteHeader(http.StatusOK)
  w.Write([]byte(htmlIndex))
}

func handleFacebookLogin(w http.ResponseWriter, r *http.Request) {
  Url, err := url.Parse(oauthConf.Endpoint.AuthURL)
  if err != nil {
    log.Fatal("Parse: ", err)
  }
  parameters := url.Values{}
  parameters.Add("client_id", oauthConf.ClientID)
  parameters.Add("scope", strings.Join(oauthConf.Scopes, " "))
  parameters.Add("redirect_uri", oauthConf.RedirectURL)
  parameters.Add("response_type", "code")
  parameters.Add("state", oauthStateString)
  Url.RawQuery = parameters.Encode()
  url := Url.String()
  http.Redirect(w, r, url, http.StatusTemporaryRedirect)
}

func handleFacebookCallback(w http.ResponseWriter, r *http.Request) {
  state := r.FormValue("state")
  if state != oauthStateString {
    fmt.Printf("invalid oauth state, expected '%s', got '%s'\n", oauthStateString, state)
    http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
    return
  }

  code := r.FormValue("code")

  token, err := oauthConf.Exchange(oauth2.NoContext, code)
  if err != nil {
    fmt.Printf("oauthConf.Exchange() failed with '%s'\n", err)
    http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
    return
  }

  resp, err := http.Get("https://graph.facebook.com/me?access_token=" +
    url.QueryEscape(token.AccessToken))
  if err != nil {
    fmt.Printf("Get: %s\n", err)
    http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
    return
  }
  defer resp.Body.Close()

  response, err := ioutil.ReadAll(resp.Body)
  if err != nil {
    fmt.Printf("ReadAll: %s\n", err)
    http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
    return
  }

  log.Printf("parseResponseBody: %s\n", string(response))

  http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
}

func main() {
  http.HandleFunc("/", handleMain)
  http.HandleFunc("/login", handleFacebookLogin)
  http.HandleFunc("/oauth2callback", handleFacebookCallback)
  fmt.Print("Started running on http://localhost:9090\n")
  log.Fatal(http.ListenAndServe(":9090", nil))
}