OAUTH 2.0

For more details about OAUTH 2.0, read this article. In this tutorials, we instroduce 2 basic steps of Authenticating with OAuth 2.0. Before get start, you must contains client id and secret id for specific api.

How it works ?

oauth v2 diagrams

Step 1: Request an Authorization Code

To request an authorization code, you must direct the user's browser to OAuth 2.0 authorization endpoint. (ex: https://www.facebook.com/v2.8/dialog/oauth)

- Parameters

  • response_type: The value of this field should always be: code
  • client_id: The "client id (api) Key" when you registered your application.
  • redirect_uri: The URI your users will be sent back to after authorization. This value must match one of the defined OAuth 2.0 Redirect URLs in your application configuration. Some case require https.
  • state: A unique string value of your choice that is hard to guess. Used to prevent CSRF.
  • scope: permission that your can interactive your user's data

- Example: 

  • https://www.facebook.com/v2.8/dialog/oauth?client_id=733863700093941
    &state=7789
    &response_type=code
    &redirect_uri=http://yourdomain/facebook-callback.php
    &scope=email

After grant access to your app, user's will be redirect to your redirect_uri with authorization Code

  • http://yourdomain/facebook-callback.php?code=AQAjMXOYZ1pLf8Mw0_rQEOAmLz1Cvwx_DhrLrmqvYRER_mLjZc9-aMEf0_3s_bZ5mgFPYFWSlv50DNgUTGkNix_qksss264VjBt94z4LAiFI4hk_Bj6nvaKfbdhpSm_lfoL0XGqXLDk6HDEEyTIrRFM7ZZrUC3pbvXE7iaiAq0qM8f9MgrSIQO9DVf4JWkgojOza2HYYKm-l5aWx22ora9VT4EYq3PI6PYhuBJi_UOFyBAXdlpBcj4srrzjKOiOZL-oktwXvMComkGPGAtjz6Ltt9VTo_kgTc4jSjD2rj0tjjKGhqFb3Ik6J3SSB3GHTMpowiqcGzAltXpZiqpT910qJ&state=7789#_=_

Step 2: Exchange Authorization Code for an Access Token

The final step towards obtaining an Access Token is for your application to ask for one using the Authorization Code.

- Parameters 

  • grant_type: The value of this field should always be: authorization_code
  • code: The authorization code you received from Step 1
  • redirect_uri: The same 'redirect_uri' value that you passed in the previous step.
  • client_id: your client id key
  • client_secret: your client secret key

- Example 

  • POST /v2.8/oauth/access_token HTTP/1.1
    Host: graph.facebook.com
    grant_type=authorization_code&AQAjMXOYZ1pLf8Mw0_rQEOAmLz1Cvwx_DhrLrmqvYRER_mLjZc9-aMEf0_3s_bZ5mgFPYFWSlv50DNgUTGkNix_qksss264VjBt94z4LAiFI4hk_Bj6nvaKfbdhpSm_lfoL0XGqXLDk6HDEEyTIrRFM7ZZrUC3pbvXE7iaiAq0qM8f9MgrSIQO9DVf4JWkgojOza2HYYKm-l5aWx22ora9VT4EYq3PI6PYhuBJi_UOFyBAXdlpBcj4srrzjKOiOZL-oktwXvMComkGPGAtjz6Ltt9VTo_kgTc4jSjD2rj0tjjKGhqFb3Ik6J3SSB3GHTMpowiqcGzAltXpZiqpT910qJ=987654321&redirect_uri=https%3A%2F%yourdomain%2Fauth%2Ffacebook-callback.php&client_id=123456789&client_secret=shhdonottell

Step 3: Make authenticated requests to API

When your retreive access_token from step 2, make authenticated requests to API by send access_token in request header

- Example

  • GET /v2.8/me HTTP/1.1
    Host: graph.facebook.com
    Connection: Keep-Alive
    Authorization: Bearer AQXdSP_W41_UPs5ioT_t8HESyODB4FqbkJ8LrV_5mff4gPODzOYR