Architecting OAuth 2.0

After you understand how OAuth 2.0 works, you can start building your own implementation. You need some basic pieces set up to manage a simple OAuth flow:

  • An initial redirect: This code redirects the user to the identity provider's authentication flow. In Facebook, this is the login screen on Facebook.com that usually appears in a pop-up on Web sites you visit. Your code just needs to redirect (or initiate a pop-up for) the user to a given URL on the domain where you are trying to get permission. You also need to pass a callback URL with that to identify where the user will be sent after he logs in. Check your site of preference's Developer docs to know what this URL is.
  • The callback: You pass this URL with the redirect so that the identity provider knows where to take the user after she logs in. After the user logs in to the authenticating site (such as Facebook.com), the user is taken back to this URL on your servers. You need to write code at this URL that receives the access token and either stores it somewhere or makes API calls with it when the user comes back to your site.

    image The above callback works simply with OAuth 2.0. In earlier versions of OAuth, it wasn't quite this simple. If you have done OAuth before, you might be familiar with “request tokens.” These are tokens that you get on the back end (server side) to identify yourself with the identity ...

Get Facebook® Application Development For Dummies® now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.