UPDATE: see below
I’ve been thinking hard about this question too. It’s not entirely clear to me yet but here’s the route I am thinking of going. I am creating a REST API an my users only auth with Facebook connect.
On the CLIENT:
- Use the Facebook API to login and get an OAUTH2 code.
- Exchange this code for an access token.
- In every call to my custom API I’ll include the Facebook user id and the access token.
On the API (for every method that requires user authentication):
- Make a request to the /me Facebook graph using the access token from above.
- Verify that the Facebook user id returned matches the user id passed to my API from above.
- If the access token has expired additional communication is required.
I have yet to test this. How does it sound?
— Update: July 27th, 2014 to answer question —
I only use the above exchange once upon login. Once I determine which user is logging in, I create my own access token, and that token is used from that point going forward. So the new flow looks like this…
On the CLIENT:
- Use the Facebook API to login and get an OAUTH2 code.
- Exchange this code for an access token.
- Request an access token from my API, including the Facebook token as a parameter
On the API
- Receive access token request.
- Make a request to the /me Facebook graph using the facebook access token
- Verify that the Facebook user exists and match to a user in my database
- Create my own access token, save it and return it to the client to be used from this point forward