Step-by-Step
To demonstrate this flow, we’ll use Facebook’s implementation of App Login with the App Insights service.
Step 1: Exchange the application’s credentials for an access token
The application needs to request an access token from the authorization server, authenticating the request with its client credentials.
You can find the authorization server’s token URL in the API provider’s documentation. For Facebook, the URL is
https://graph.facebook.com/oauth/access_token
Here are the required POST
parameters:
grant_typeSpecified as “client_credentials” for this flow.
client_idThe value provided to you when you registered your application.
client_secretThe value provided to you when you registered your application.
Here’s an example request via the curl command-line HTTP client:
curl -d "grant_type=client_credentials\ &client_id=2016271111111117128396\ &client_secret=904b98aaaaaaac1c92381d2" \ https://graph.facebook.com/oauth/access_token
If the client credentials are successfully authenticated, an
access token is returned to the client. As Facebook has implemented an
earlier version of the OAuth 2.0 specification as of the time of this
writing, it returns the access_token
in the body of the response using form url-encoding:
access_token=2016271111111117128396|8VG0riNauEzttXkUXBtUbw
The latest draft of the spec (v22) states that the authorization
server should instead return an application/json response containing the
access_token:
{ "access_token":"2016271111111117128396|8VG0riNauEzttXkUXBtUbw" ...Get Getting Started with OAuth 2.0 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
