February 2012
Beginner to intermediate
78 pages
2h 13m
English
Content preview from Getting Started with OAuth 2.0Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Step-by-Step
To demonstrate this flow, we’ll use Facebook’s implementation of App Login with the App Insights service.
Step 1: Exchange the application’s credentials for an access token
The application needs to request an access token from the authorization server, authenticating the request with its client credentials.
You can find the authorization server’s token URL in the API provider’s documentation. For Facebook, the URL is
https://graph.facebook.com/oauth/access_token
Here are the required POST
parameters:
grant_typeSpecified as “client_credentials” for this flow.
client_idThe value provided to you when you registered your application.
client_secretThe value provided to you when you registered your application.
Here’s an example request via the curl command-line HTTP client:
curl -d "grant_type=client_credentials\ &client_id=2016271111111117128396\ &client_secret=904b98aaaaaaac1c92381d2" \ https://graph.facebook.com/oauth/access_token
If the client credentials are successfully authenticated, an
access token is returned to the client. As Facebook has implemented an
earlier version of the OAuth 2.0 specification as of the time of this
writing, it returns the access_token
in the body of the response using form url-encoding:
access_token=2016271111111117128396|8VG0riNauEzttXkUXBtUbw
The latest draft of the spec (v22) states that the authorization
server should instead return an application/json response containing the
access_token:
{ "access_token":"2016271111111117128396|8VG0riNauEzttXkUXBtUbw" ...