You can’t rely on the presence of an access token to log a user in. Some more information is available here:
http://oauth.net/articles/authentication/ <http://oauth.net/articles/authentication/> However, if you want to bridge authorization based on an external token and you’re willing to do some validation of that token, you can use something like the draft token chaining mechanism defined here: https://tools.ietf.org/html/draft-richer-oauth-chain-00 <https://tools.ietf.org/html/draft-richer-oauth-chain-00> For this, your AS will basically take in a Facebook token, validate it, and spit out a domain-local token. This doesn’t, however, tell you much about someone being “logged in” from Facebook, just means you’ve got an authorized application. Again, see the oauth.net <http://oauth.net/> article for more details on common pitfalls. A standards-based way to do login is to use the OpenID Connect ID Token. — Justin > On Apr 12, 2015, at 8:29 AM, Spencer MacDonald > <[email protected]> wrote: > > Hi, > > I wondered if there was a best practise/standard/extension grant type for > exchanging an OAuth Token from another provider (instead of a username and > password) for an OAuth Token. > > The situation I am facing is that I am developing a native iOS application > that makes use of the Facebook Graph API, whereby I fetch an OAuth Token > using their native SDK on the device. I then want to login exchange their > Facebook OAuth Token with my server (the OAuth Token is then used on the > server to process data) in exchange for an OAuth Token to communicate with my > server. > > Is there a best practise for this approach? > > Regards > > Spencer > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
