I'm working on an Android app where there is an existing authentication system, based on email/password.
Whenever the user successfully logs in with username and password, a JWT token is created and returned to the app for making the authenticated calls.
Now I want to support Facebook Login, however some steps of the OAuth communication are not super clear to me. I searched the documentation but it seems to be a bit vague.
This is the process as I envision it:
- User clicks on Facebook button
- The app asks to the server a state token
821379812739871293and calls the FB url configured like sohttps://www.facebook.com/v3.2/dialog/oauth?client_id=123&redirect_uri=https://<myappdomain.some>/fb-callback&state=821379812739871293 - The app opens a webview where the user can accept to login and share the email address
- Facebook redirects to
redirect_uriwith something like thishttps://<myappdomain.some>/fb-callback?code=h21i3i2h13&state=821379812739871293 Within the callback call, the server:
- checks if
state tokenexists otherwise it rejects the FB callback - it uses
https://graph.facebook.com/v3.2/oauth/access_tokento obtain theaccess_token - it uses the FB APIs to retrieve the email address (have to check how to do this, but should be enough to call
/me) - if email exists (sometimes it does not) it tries to find an existing user in the DB or adds a new one
- checks if
[ UNCLEAR PART ] The callback returns a redirect to some OS-registered URL like
http://<myappdomain.some>/login-success?apiKey=<jwt-token>[ UNCLEAR PART ] the app reads the API key from the URL and proceeds making the calls to the backend
Is this correct/common practice?
Thanks!
EDIT: to clarify, I've seen this answer, however it is bad practice to store the client secret on the app side. Moreover, in future I might integrate Instagram and LinkedIn authentications which seem to not allow or discourage bypassing the server with implicit oauth.
