I want to provide a service using the facebook api to third parties. Is it possible for us to share access tokens? If the third party gives my service a user's access token, can I access that users data even if my app_id & secret do not match the app that requested it?
Should I have the users go through a separate oauth flow on my site even if they have already completed it for the other third party?
Thanks.
-ken
Regarding:
Is it possible for us to share access tokens?
and,
can I access that users data even if my app_id & secret do not match the app that requested it?
The answer is No. From the specs OAuth2 section 10.3:
Access token credentials (as well as any confidential access token attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued.
Should I have the users go through a separate oauth flow on my site even if they have already completed it for the other third party?
The answer is Yes. If you're using facebook as authorization server, and you restart the oauth flow again, your user will only need to approve your other app (third party).