Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing a REST API with Facebook OAuth

Tags:

I am building a app/API that allows user to login with Facebook, Twitter or Google. I am wondering what are the best practices in allowing those user to use the same account to login to the API.

  1. A couple Ideas that I have had is pass the auth token/cookie in a header to the API for every request and use that to authenticate on the backend.
  2. Run my own OAuth setup and make the user authenticate once with the back end to get my OAuth token and use those from then on.
like image 934
Vitaly Babiy Avatar asked Sep 06 '11 23:09

Vitaly Babiy

People also ask

Can OAuth be used for REST API?

OAuth is an authorization framework that enables an application or service to obtain limited access to a protected HTTP resource. To use REST APIs with OAuth in Oracle Integration, you need to register your Oracle Integration instance as a trusted application in Oracle Identity Cloud Service.

Does Facebook login use OAuth?

OAuth is also used when giving third-party apps access to accounts like your Twitter, Facebook, Google, or Microsoft accounts. It allows these third-party apps access to parts of your account. However, they never get your account password.

How do I add OAuth to Facebook?

In the App Dashboard, choose your app and scroll to Add a Product Click Set Up in the Facebook Login card. Select Settings in the left side navigation panel and under Client OAuth Settings, enter your redirect URL in the Valid OAuth Redirect URIs field for successful authorization.

Does OAuth2 support Facebook?

OAuth2 won a standards battle a few years ago. It's the only authentication protocol supported by the major vendors. Google recommends OAuth2 for all of its APIs, and Facebook's Graph API only supports OAuth2. The best way to understand OAuth2 is to look at what came before it and why we needed something different.

1 Answers

I am doing the same thing and my solution is to match the email addresses that you get from these respective APIs.

For Facebook, you need special permission from the end user to get the email address registered there. You do this by adding &scope=email to the first oauth request.

A disadvantage is that you need to get this permission from the end user and they may decline. Another disadvantage is that users need to use the same email addresses for Google, Facebook and Twitter.

An advantage is that user records are merged automatically, so users can directly access all their data if they logged in the first time through Google, and the second time through Facebook.

Another approach would be to manually merge their data by making them log in to Google when they are already logged in through Facebook. Then you can conclude that they are the same user, even when they use different email addresses for both. But this is a more tedious approach, as you still need to merge the app's user data from both accounts.

like image 113
Jeroen Kransen Avatar answered Sep 18 '22 23:09

Jeroen Kransen
Sign in to Comment

Related questions

OpenCV - Random Forest Example
ndk-stack not working
System.Data.EntityException: The underlying provider failed on Commit
Can views be used with parallel collections?
Windows Service written in python, not detecting shutdown events and stopping gracefully
How do I use MiniProfiler with a single page web app / REST backend?
Using SurfaceTexture in combination with RenderScript
Registering GPX (or XML) file to open in iOS app
How to retrieve/calculate citation counts and/or citation indices from a list of authors?
How to plot historic country data (USSR, East Germany, etc) in GoogleMaps?
Trigger jQuery qTip on Dayclick event of FullCalendar and then create Event using button in it
Blackberry Push Implementation and waiting for acknowledgement

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!