I’ve been using the Facebook Graph API (uses oauth 2.0 for authentication) successfully for a while now. I now need to write my own API which allows developers to connect to it in a similar fashion. I’ve looked into various libraries but i’d like something a little leaner so i’ve decided to roll my own. Looking at the code i have to authenticate a user on facebook it looks relatively simple but please correct me if i’m going off track.

First i would need to provide a secure page which the consumer would need to redirect to. eg https://api.mydomain.com/oauth/authorize?client_id=CONSUMER_KEY&redirect_url=CALLBACK_URL. The user would verify the application then i would redirect back to the url provided in the callback url with the oauth_token in the query string. I suppose i could just generate a random unique string here for the oauth_token and store it against the user for this particular consumer (EDIT: Please see the answer below, this should be unique for each consumer application and not the user).

That’s step 1 out the way. I now need to provide a second secure page which the consumer would trigger a web request to. eg https://api.mydomain.com/oauth/access_token?client_id=CONSUMER_KEY&client_secret=CONSUMER_SECRET&oauth_token=OAUTH_TOKEN_RETURNED_ABOVE. This would allow the consumer to exchange the oauth_token returned above for an access token. I would again simply generate a random unique string and store it against the user for this particular consumer.

Now my API would accept the access_token for methods which try to grab information specific to the user who is using it.

I’d like to know if i’ve understood things correctly. The OAuth 2.0 spec seems extremely trivial if that’s the case. Also why do we have to exchange the oauth_token with an access_token? I have my own idea but i’d appreciate it if someone could help clarify this.

I’d really appreciate your feedback as i don’t wish to go ahead and waste hours implenting this when it’s completely wrong.

Thanks