How does facebook match access token to the consuming application
-
11-11-2019 - |
Question
I have been trying to wrap my head around creating a RESTFul API using Oauth for both 2-legged and 3-legged authentication scenarios. I have read a lot of articles and I am at the moment just very confused. Now looking through various API implementations to gain better understanding.
While looking through a facebook api service consumption implementation; after getting an access token. I noticed the following url structure for a resource request
https://graph.facebook.com/me?access_token={access_token}
I was thinking the app_key and the secret_key of the consumer will be also be passed as a parameter.
I am imagining a scenario where 'offline_access' is part of the permission scope. what if this access token is passed by another application. How does facebook validate that it is the right consumer?
Thank you.
No correct solution