the best practice to log the user in general is to use IpenID Connect. For Facebook specifically, there is a closely related spec called signed request.
You cannot just use a regular access token to log a user in. It's too dangerous. Nat via iPhone 2015年4月12日日曜日、Spencer MacDonald<[email protected]>さんは書きました: > Hi, > > I wondered if there was a best practise/standard/extension grant type for > exchanging an OAuth Token from another provider (instead of a username and > password) for an OAuth Token. > > The situation I am facing is that I am developing a native iOS application > that makes use of the Facebook Graph API, whereby I fetch an OAuth Token > using their native SDK on the device. I then want to login exchange their > Facebook OAuth Token with my server (the OAuth Token is then used on the > server to process data) in exchange for an OAuth Token to communicate with > my server. > > Is there a best practise for this approach? > > Regards > > Spencer > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
