Let's assume i have a mobile app backed up by a Server. the server is both an Authorization and Resource Server.

Now i want to enable users to register / login to the app using Facebook API. After the user authenticated through Facebook he gets an AccessToken. now i have few options:

  1. send the accessToken to my authorization server (with user fbId), make sure it's a real accessToken, store the accessToken as the user authentication token and manage the Oauth2 autherization process using that accessToken with My Authorization server.
  2. same as the other but create after authenticating in the server side, create new accessToken with an optional refreshToken and never use the facebook AccessToken again (only to retrieve information from Facebook)
  3. on each call to my resource server, user the Facebook authorization server (please let it not be the answer (-;)

Also if someone is familiar with a blog post / online resource that discuss such a situation please let me know ( i've failed to find one )

To log in into your application with Facebook account:

  1. Authenticate the client with Facebook API, getting user access token as a result. At this point your client is sure about user identity, but your server is not yet.
  2. Send user access token to the server. Now server has user access token, but is not sure if it is valid.
  3. Debug the token from the server to make sure it is valid. Here you use your application access token to check user access token. You need to make sure that user token is valid, not expired, and was issued for your application. If it is OK, your server now is also sure about user identity.
  4. From now on, don't use Facebook user access token, unless you need some data from Facebook account. Instead, use normal session mechanism: provide some cookie or other custom token, just like you would do with with your own authentication mechanism.

Basically, you just switch your normal username/password check with Facebook user access token check. You do it just once when a session starts.

For additional info, check login security best practices.

