How to authenticate client on multiple OAuth2 providers?

Question

My REST API (api.example.com) is currently an OAuth2 provider and has been the support of a mobile app.

Recently we have created a new web-site(www.example.com) which will be treated like any other client. The web can authenticate on the API by using a password grant_type where a user types in her credentials. From there the client(browser) gets an access token and can than consume the API.

The problem comes that we want to authenticate clients on the web-page using Facebook.

So basically, the web should in the end be able to get an user access token to access the API by logging in via Facebook.

I've looked around and I've seen two legged and three legged OAuth2 authentication scenarios but:

• How does that applies on the scenario I just described?
• What is the right way of doing this?
• What are the security issues I should take into account?

Answer 1

Here is one way to go about this:

When a client authenticates with facebook, on mobile using their SDK or for instance on the web using the authorise method, it will get a facebook access token.

If your API is also an OAuth2 provider and you want to then login the client(issue an access token) using the facebook token you just got you can do this by using extension grants(https://www.rfc-editor.org/rfc/rfc6749#section-4.5).

Here, the same way OAuth2 has a password_grant type, you could create an extension grant called, for instance facebook_access_token_grant, and send that facebook token to the API. If the token is valid than the API issues an app access token that can be used by the client on subsequent requests.

The steps are:

• 1 - Client gets an access token from facebook. On mobile devices will be using the Facebook SDK, on web apps can be with the javascript login thing or using the authorise method where the browser is redirected to facebook and so on.

• 2 - After getting the facebook access token, the client requests a access token from the API by posting:

POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

    client_id={{ client_id }}&client_secret={{ client_secret }}&grant_type=facebook_access_token&facebook_access_token={{ TOKEN }}

• 3 - API debugs the facebook_access_token with a https://graph.facebook.com/me?access_token=TOKEN. If everything validates the API issues a bearer token to the client by responding something like:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "access_token":"API_ACCESS_TOKEN",
  "username":"theuser",
  "expires_in":3600,
  "refresh_token":"API_REFRESH_TOKEN",
}

• 4 - Client uses that token on subsequent calls to the API.

GET /some_endpoint HTTP/1.1
Host: server.example.com
Authorization: Bearer API_ACCESS_TOKEN

Make sure you do all this over a secure connection(TLS) so that you don't violate https://www.rfc-editor.org/rfc/rfc6749#section-1.6 and all this should be according OAuth2 protocol.

Answer 2

You have to have user login both and then connect them using email