I have been trying to wrap my head around creating a RESTFul API using Oauth for both 2-legged and 3-legged authentication scenarios. I have read a lot of articles and I am at the moment just very confused. Now looking through various API implementations to gain better understanding.
While looking through a facebook api service consumption implementation; after getting an access token. I noticed the following url structure for a resource request
https://graph.facebook.com/me?access_token={access_token}
I was thinking the app_key and the secret_key of the consumer will be also be passed as a parameter.
I am imagining a scenario where ‘offline_access’ is part of the permission scope. what if this access token is passed by another application. How does facebook validate that it is the right consumer?
Thank you.
The OAuth 2 spec defines that access tokens should be unique for each user for each consumer. This simply means that every consumer gets a new access token. If consumer 1 had consumer 2’s access token, the API would think that consumer 2 is making the request. Simple as that.
Of course, this calls for proper security on the access tokens. How they are secured is pretty much beyond the scope of OAuth, although it does define that they must only be passed over SSL connections.
Don’t read articles. Read the actual specification.