[Facebook] Authentication

• Uses the OAuth 2.0 protocol for authentication and authorization.
• Support for Website, mobile and desktop apps.

Supports two different OAuth 2.0 flows for user login

• Server-side
• The authentication code flow in the specification.
• Used whenever you need to call the Graph API from your web server.
• Client-side
• The implicit flow.
• Used when you need to make calls to the Graph API from a client.
• ex: JavaScript running in a Web browser or from a native mobile or desktop app.

Implementation of the OAuth 2.0 involves three different steps

• User authentication
• Ensures that the user is who they say they are
• App authorization
• Ensures that the user knows exactly what data and capabilities they are providing to your app.
• App authentication
• Ensures that the user is giving their information to your app and not someone else.

Server-side Flow

• User authentication and app authorization are handled at the same time by redirecting the user to our OAuth Dialog.
• https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&scope=email,read_stream
• If user login and allow your app permissions and then redirect to your redirect_uri.
• http://YOUR_URL?code=A_CODE_GENERATED_BY_SERVER
• With this code in hand, you can proceed to the next step, app authentication, to gain the access token you need to make API calls.
• In order to authenticate your app, you must pass the authorization code and your app secret to the Graph API token endpoint - along with the exact same redirect_uri used above - at https://graph.facebook.com/oauth/access_token.
• https://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&client_secret=YOUR_APP_SECRET&code=THE_CODE_FROM_ABOVE
• The diagram below illustrates the HTTP calls made through the server-side flow:

Client-side Flow

• Also uses the OAuth Dialog for user authentication and app authorization. The only difference is that you must specify the response_type parameter with a value of token:
• https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri=YOUR_URL&response_type=token
• If returned
• http://YOUR_URL#access_token=166942940015970%7C2.sa0&expires_in=64090
• Because the access token is passed in an URI fragment, only client-side code (such as JavaScript executing in the browser or desktop code hosting a web control) can retrieve the token.
• The diagram below illustrates the HTTP calls made through the server-side flow:

Alternate Redirect URIs

• Specifying additional App Domains for your app is useful for redirecting users to other servers for geographic distribution of load.
• When redirect_uris are specified in the authentication flows, the user is normally redirected to a path under the Site URL that you specify in the Basic Info section on the Summary tab in the Developer App. 
• However, you can override this behavior and redirect to one or more other related or sub-domains by specifying each domain name in the App Domain field in the Basic Info section of the Summary Tab in the Developer App

You can log a user out of their Facebook session by directing them to the following URL:
https://www.facebook.com/logout.php?next=YOUR_URL&access_token=ACCESS_TOKEN


Also support

• App Login
• Page Login

Cross Site Request Forgery (CSRF)

• Cross site request forgery is an attack in which a trusted (authenticated and authorized) user unknowingly performs an action on website.
• To prevent this attack, you should
• Pass an identifier in the state parameter
• Validate the state parameter matches on the response. 
• We strongly recommend that any app implementing Facebook user login implement CSRF protection using this mechanism.

Related
[Security] OAuth and OpenId


* Reference
- Authentication