I have an app that can be accessed on mobile phones, both iOS and Android. The app has a social component to it, so people are sending data to and from my server.

I also have an interface for this app that will be accessible through Facebook.

When logging into the app via mobile device, using the native app for that device, one can just log in with standard username and password.

However, obviously if a user accesses the app in Facebook, they will expect to already be logged in since they are already logged into Facebook.

So I need to make it so that my app can take a log in from Facebook, pretty much automatically (?) for users who are coming at it from within Facebook.

Further, it’s possible (dare I say “likely”?) a user might access the interface from both Facebook and one of the mobile versions of the app. In which case I need to be able to ensure that the username/password authentication they use on the device points to the same account associated with their Facebook login.

So… all that said… what kind of Facebook authentication should I be studying and implementing.? I’m looking at their documentation right now, and like all documentation, it’s not easy to grasp. There is server-side (authentication code flow?) and client-side (implicit flow?), and authentication tokens, and I’m already a bit lost.

Also, I assume Facebook’s approach is to want to take over my login in process completely, not live side by side with my mobile-device-only login, but I’d like to make sure users have the option of not using Facebook authentication if they don’t want.

Can someone point me in the right direction for how to do this? Basically let me know which part of the documentation I should be focusing on.

And are there any gotchas I should watch out for?