1👍
Facebook JavaScript/Android/iOs SDKs lets the client to authenticate the users. Once the user is authenticated with facebook, your clients can send the accessToken
through a HTTP POST
over https.
This is what I have done in a similar situation,
At backend,
Create API endpoint to authenticate user by validating their accessToken
,
POST /auth/
Use this endpoint to verify the accessToken
sent by the client. The token should be validated calling Facebook services with your app secret. Once done validating, return a response as a JSON detailing the status of the authentication and user identification details if successful.
on the request,
- body should contain
accessToken
as a key/or a header Content-Type
header should beapplication/json
- any additional expected headers must be validated
on the request try to include
- status of the operation
- user identification detail if operation is success
- a JWT or some sorta token to identify the user which users can include in
Authorization
header, so that you can validate the request just buy validating the token against User. Set an expiry as theaccessToken
ifJWT
is expired, refreshaccessToken
at client side and validate again.
At Frontend.
Let the client do the following to authenticate themselves.
- send
accessToken
to/auth
as a POST request. - if authentication status is success, let them store the JWT in locally and use it on the upcoming requests.
at backend on upcoming calls,
- if token is expired or tampered, redirect client to authenticate with Facebook again.
- on logging out of user, delete the token from client.
So for the frontend developers,
Document your API properly and share it with them