Login with facebook and using oauth 2.0 for authentication of REST api calls

Question

I am using spring framework and REST architecutre in my api. Currently I am authenticating my REST call by sending username and password with every call. And users are stored in my database.

Now I plan to use oauth 2.0 for access to my protected resources and also i plan to use Facebook Login as authentication mechanism.

I have read about spring-security-oauth2 and have implemented in a small example it works fine.

I have read about spring-social and also have implemented it and can access facebook api.

Now all I want to know is how can i login with facebook and then use oauth 2.0 to protect my resources.

Any help will be deeply appreciated.

Answer 1

You would not want to use the Facebook-issued access token to secure your own resources. The Facebook token represents a 3-way agreement between your application, Facebook, and your user. If you want to use OAuth to secure your own resources, that's a completely different agreement between the consumer of those resources, your server, and the user who owns those resources on your server.

Think of it this way: When you are consuming Facebook's API, your application (A) is the consumer, Facebook (FB) is the provider, and there's a common user (U1) that joins those together. But when someone is consuming resources on your server, then your application (A) is in the role of the provider, some other application (X) is the consumer, and there's a common user (U2) who joins those together. It may be the same human (e.g., U1 == U2) that agreed to the arrangement in both cases, but the roles of provider and consumer have changed.

I imagine that there's probably a way to get Spring Security for OAuth to issue the same access token that Facebook issued, but that's not really a good idea.