OAuth 2.0 Authorization Framework

1. OAuth 2.0

OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials.

To get access to the protected resources OAuth 2.0 uses Access Tokens. An Access Token is a string representing the granted permissions.

OAuth Roles

In any OAuth 2.0 flow we can identify the following roles:
  • Resource Owner: the entity that can grant access to a protected resource. Typically this is the end-user.
  • Resource Server: the server hosting the protected resources. This is the API you want to access.
  • Client: the app requesting access to a protected resource on behalf of the Resource Owner.
  • Authorization Server: the server that authenticates the Resource Owner, and issues Access Tokens after getting proper authorization. In this case, Auth0.

Protocol flow

We will now have a more detailed look on how the protocol works. As we will see in a while, OAuth has many "flavors" (called authorization grant types) that you can use. For now we will have a more generic look into the flow.

  1. The Application (Client) asks for authorization from the Resource Owner in order to access the resources.
  2. Provided that the Resource Owner authorizes this access, the Application receives an Authorization Grant. This is a credential representing the Resource Owner's authorization.
  3. The Application requests an Access Token by authenticating with the Authorization Server and giving the Authorization Grant.
  4. Provided that the Application is successfully authenticated and the Authorization Grant is valid, the Authorization Server issues an Access Token and sends it to the Application.
  5. The Application requests access to the protected resource by the Resource Server, and authenticates by presenting the Access Token.
  6. Provided that the Access Token is valid, the Resource Server serves the Application's request.


2. Login Facebook With Oath2.0

2.1. Facebook Manual Login Flow

- Invoking the Login Dialog and Setting the Redirect URL

  GET https://www.facebook.com/v3.2/dialog/oauth?

- Exchanging Code(The parameter received from the Login Dialog redirect above) for an Access Token

   GET https://graph.facebook.com/v3.2/oauth/access_token?

 -Get user info by an access token

   GET https://graph.facebook.com/me?fields=id,...&access_token="xxxxx"


2.2. Facebook Login for the Web with the JavaScript SDK