Search code examples
facebookoauth-2.0facebook-oauth

Is facebook using OAuth2 and if so where are the integration docs?

My client is web based with a NodeJS server.

I've recently implemented Google Sign-In for server-side apps using this flow

enter image description here

see https://developers.google.com/identity/sign-in/web/server-side-flow

I'm now trying to implement something similar on Facebook but when I look at the docs there is no reference to oauth2.

https://developers.facebook.com/docs/facebook-login

Should I be using Facebook connect? Where do I get my "one time code" from so that I can send it to my server?

Lots of confusion on the subject. Some direction would be most welcome.

Solution

  • OAuth is, by design, not a very prescriptive standard. It describes various flows for doing the authorization, and each of those is specified broadly enough to afford multiple interpretations and implementations.

    Facebook's implementation is broadly similar to Google's, and supports many different flows. The Javascript SDK offers a way of doing it in the browser, whereas the more traditional server-side flow uses a series of redirects and doesn't require any Javascript. Neither Facebook flow really calls itself OAuth, though the latter refers to it implicitly.

    You asked about a "one-time code". That's a part of the Authorization Code flow described in section 4.1 of the OAuth2 specification. The server-side Facebook flow described above seems to be quite close to the specification, and the documentation describes how to get this code and exchange it for an access token. You could do it using the redirects, or you could write some Javascript to hit that endpoint in an XHR and then extract the code yourself and pass it to the server.

    But you could also use the Javascript SDK to do essentially the same thing. It is based around the Implicit, browser-driven flow described in section 4.2 of the specification. In that case, the client is issued a short-lived access token. However, it can send that token to the server, and the server can then exchange it for a long-lived access token, similar to the use case of the one-time code. That process is described in the Javascript SDK documentation.

    All of this is to say that I wouldn't worry too much about what is or isn't "OAuth". Most of these authorization services are based on the same basic OAuth concepts, but because the specification is quite general none of them work exactly the same way. Just figure out which flow works best for your application and use that.