OAuth

Resource providers

See the difference

How does it work

Let's Create new app

OAuth grant types (flows)

  • Authorization Code Flow
  • Implicit Flow
  • Password Credentials Flow
  • Client Credentials Flow

Authorization Code Flow

https://www.facebook.com/v2.11/dialog/oauth?
   client_id={app-id}
   &redirect_uri={redirect-uri}
   &state=some_string
   &scope=comma,separated,list,of,permissions
   &response_type=code
GET https://graph.facebook.com/v2.11/oauth/access_token?
   client_id={app-id}
   &redirect_uri={redirect-uri}
   &client_secret={app-secret}
   &code=xxx
YOUR_REDIRECT_URI?
    code=xxx
YOUR_REDIRECT_URI?
    access_token={access-token}
    &token_type={type}
    &expires_in={seconds-til-expiration}

Or a proper JSON response

Implicit Flow

https://www.facebook.com/v2.11/dialog/oauth?
   client_id={app-id}
   &redirect_uri={redirect-uri}
   &state=some_string
   &scope=comma,separated,list,of,permissions
   &response_type=token
YOUR_REDIRECT_URI?
    access_token={access-token}
    &token_type={type}
    &expires_in={seconds-til-expiration}

If redirect URI is not specified (mobile or desktop app):

https://www.facebook.com/connect/login_success.html#
    access_token=ACCESS_TOKEN...

Password Credentials Flow

Client Credentials Flow

GET /oauth/access_token
    ?client_id={app-id}
    &client_secret={app-secret}
    &grant_type=client_credentials

Returns JSON with access token

Know What Grant Type to Use

  • A server-side web app - Authorization code
  • A client-side web app (or mobile app) - Implicit
  • An integration with an OAuth service - Password credentials
  • An application that doesn’t interact with user data - Client Credentials

Thanks for attention!

Made with Slides.com