Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using a Facebook access token as the resource owner credentials in OAuth2.0

Tags:

language-agnostic

oauth-2.0

oauth-provider

The OAuth 2.0 specification defines the Resource Owner Password Credentials Grant Type, which allows the resource owner password credentials (i.e. username and password) to be used directly as an authorization grant to obtain an access token.

I want to allow a user to 'login via Facebook' on the client instead of providing the credentials directly. The client could then exchange the user's Facebook access token for an access token for the authorization server. Does this scheme fit into the framework of OAuth2?

like image 408
Eugene Yarmash Avatar asked Nov 05 '22 00:11

Eugene Yarmash

1 Answers

The client could then exchange the user's Facebook access token for an access token for the authorization server.

Does it mean you have 2 Authorization servers (one of Facebook and another - your private one) in mind? If yes - you're abusing OAuth and should use Authorization Code Grant scheme instead.

On Figure 5 from OAuth 2.0 spec (v25) you can find workflow definition:

  1. The resource owner provides the client with its username and password.

  2. The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server.

  3. The authorization server authenticates the client and validates the resource owner credentials, and if valid issues an access token.

This is a quote from Facebook http://developers.facebook.com/docs/guides/web/ :

In order to log the user into your site, three things need to happen. First, Facebook needs to authenticate the user. This ensures that the user is who they say they are. Second, Facebook needs to authenticate your website. This ensures that the user is giving their information to your site and not someone else. Lastly, the user must explicitly authorize your website to access their information. This ensures that the user knows exactly what data they are disclosing to your site.

In both places you have one and only one Authorization server - in your case - the Facebook.

like image 152
Artem Oboturov Avatar answered Nov 15 '22 19:11

Artem Oboturov
Sign in to Comment

Related questions

Find maximal subgraph containing only nodes of degree 2 and 3
Do NaN-boxing and tagged pointers have a future on 64bit platforms?
How to robustly, but minimally, distribute items across a peer-to-peer system
Poppler programming [closed]
What are the differences between different GUI toolkits and language bindings?
Syntax highlight design pattern
Calculating Screen Space Error
How to store a large directed unweighted graph with billions of nodes and vertices
Formula needed: Sort array to array-"zig-zag"
Algorithm to fill slots
Asynchronous Observer Pattern
Who is doing investigations into measurement of functionality and usability? [closed]
Does there exist an open-source distributed logging library?
Synchronizing Database Access in a Distributed App
Incrementing values in a search tree after insertion of a key-value pair
Why use object inheritance instead of mixins
Why is modulus defined the way it is in programming languages
Are there statically-typed programming-languages with inheritance where method parameters are contravariant?
Design pattern for repetitive switch in getters?
Finding duplicate video files by database (millions), fingerprint? Pattern recognition?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!