Here is one way to go about this:
When a client authenticates with facebook, on mobile using their SDK or for instance on the web using the authorise method, it will get a facebook access token.
If your API is also an OAuth2 provider and you want to then login the client(issue an access token) using the facebook token you just got you can do this by using extension grants(https://www.rfc-editor.org/rfc/rfc6749#section-4.5).
Here, the same way OAuth2 has a password_grant type, you could create an extension grant called, for instance facebook_access_token_grant, and send that facebook token to the API. If the token is valid than the API issues an app access token that can be used by the client on subsequent requests.
The steps are:
1 - Client gets an access token from facebook. On mobile devices will be using the Facebook SDK, on web apps can be with the javascript login thing or using the authorise method where the browser is redirected to facebook and so on.
2 - After getting the facebook access token, the client requests a access token from the API by posting:
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencodedclient_id={{ client_id }}&client_secret={{ client_secret }}&grant_type=facebook_access_token&facebook_access_token={{ TOKEN }}
- 3 - API debugs the facebook_access_token with a https://graph.facebook.com/me?access_token=TOKEN. If everything validates the API issues a bearer token to the client by responding something like:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache{ "access_token":"API_ACCESS_TOKEN", "username":"theuser", "expires_in":3600, "refresh_token":"API_REFRESH_TOKEN", }
- 4 - Client uses that token on subsequent calls to the API.
GET /some_endpoint HTTP/1.1
Host: server.example.com
Authorization: Bearer API_ACCESS_TOKEN
Make sure you do all this over a secure connection(TLS) so that you don't violate https://www.rfc-editor.org/rfc/rfc6749#section-1.6 and all this should be according OAuth2 protocol.