We had created our own password type grant where user was sending his username and password over the wire to validate on our server and then getting an access token. Although this is ok but we would like to stop users from sending username and password over the wire. To achieve that in this tutorial, we will create a new grant type – Facebook grant type where the user will send an access token which he will get from Facebook oauth server and send to our server. We will validate the access token and then send him an access token using which he can access resources on our server. In this entire process as you can see, the user doesn’t need to send his username and password to our server at any point of time.
As per the flow, we will first login to the front end application where we have implemented Facebook login. When the user logs in, Facebook will allow us to get an access token along with the user object.
We will send this access token to a URL on our server where we will first validate whether the access token is a valid one from FB server using the Facebook SDK. Once we know that the access token is valid, we will check if the user already exist in our database. If it does, we will update his profile and if not then we will create his user account which won’t have any password because he will not be able to login to our application with this account.
And lastly, we will send him an access token as we were going using the password type grant.
The advantage of this method is that we are not giving the user any sign up form or a separate login credentials to remember and also the user will not have to send his sensitive information over the wire. This is especially useful when we have a mobile application communicating with the server. We cannot store the user credentials on mobile but we need to somehow make sure he is not logging in every time he is trying to use the application. This is where the access token is very useful to store and use.