The typical OAuth2 flow

The “Login with Facebook” flow runs very much according to the OAuth2 protocol, proceeding as you would expect. If you are not familiar with OAuth2, we will walk through an example here to illustrate how the “Login with Facebook” flow works. By the end of this lesson, you will be equipped to navigate OAuth2 flows not only for Facebook but also for other providers including:

  • Google
  • Twitter
  • GitHub
  • StackExchange

Previously we talked about the difference between authentication and authorization. Recall that authentication is the verification of a user’s identity, while authorization is that user giving permission to access their resources. This all comes into play when we talk about OAuth2 and Facebook Login.

Owners, resources, servers, and clients

In the OAuth2 world, any piece of data is a resource. A user’s name, email address, most recently liked post, list of friends — each of these are resources. The resource owner is the user.

Facebook users own their data, so that means Facebook users are the resource owners of their Facebook data. Because Facebook data (resources) resides on a Facebook server, that server is called the resource server.

A client is a third-party application that is requesting access to resources that it does not own. To do this, it needs the resource owner to authorize the client to access those resources. The negotiation of this permission happens through the authorization server.

In many cases, the resource server and the authorization server are one and the same. This is the case for Facebook, where requests for authorization and requests for resources are both directed to graph.facebook.com.

A walk-through of the flow

To make this more concrete, let’s consider an example. Let’s assume that we have a web application (the client) named Taco Inspirations. Users of Taco Inspirations allow the application, every Tuesday at noon, to write a Facebook post on their behalf with a taco-themed inspirational quote. Yes… this is a ridiculous web application. But it will work for our example.

Get hands-on with 1400+ tech skills courses.