How should a client pass a facebook access token to the server?

http rest authentication oauth-2.0 facebook-access-token
28,673

If you look at the API endpoints provided by all popular OAuth providers (Google, Facebook, Pocket, Git etc), you'd see that they all have HTTPS endpoints.

The ways in which you can pass an access token to the provider are -

i) As Query Parameter -

https://yourwebsite.com/api/endpoint?access_token=YOUR_ACCESS_TOKEN

ii) In the request header -

 GET /api/users/123/profile HTTP/1.1
 Host: yourwebsite.com
 Date: Tue, 14 May 2013 12:00:00 GMT
 Authorization: <YOUR_ACCESS_TOKEN>

These two are approaches that are generally supported by most APIs. You can think of doing the same.

iii) Pocket API does not use GET at all. They use POST for all their requests, even for retrieving data. Check this link to see their documentation. Notice that they use POST for retrieving data and pass JSON parameters.

Share:
28,673
zafeiris.m
Author by

zafeiris.m

Updated on May 03, 2020

Comments

  • zafeiris.m
    zafeiris.m about 4 years

    On every call to my REST API, I require clients to pass user's facebook access token, which authenticates the user. What's best practice for passing this token?

    1. maybe as a parameter behind the HTTP question mark

      GET /api/users/123/profile?access_token=pq8pgHWX95bLZCML

    2. or somehow in the header of the request, similarly to HTTP basic authentication

    3. maybe a third option? (I've excluded passing it in a JSON because I want the token get passed in GET calls as well, so JSON wouldn't fit there I think)
  • zafeiris.m
    zafeiris.m almost 11 years
    Yes, I am using HTTPS anyway. Options (i) and (ii) seem ok to me too, I wouldn't go for option (iii). In (ii), should I include the word Basic or something else to indicate that I need the token there?
  • divyanshm
    divyanshm almost 11 years
    Well, the general idea is to include the token type... if you are using a Bearer token type, you can have "Authorization : Bearer <YOUR_ACCESS_TOKEN>" , this will tell your app not to look for client credentials.
  • Kristofer Källsbo
    Kristofer Källsbo about 10 years
    Passing the access token in the query string is not recommended! HTTPS still requests the URL, including query string parameters, in clear text. Only the headers and the body is encrypted!
  • ldg
    ldg about 10 years
    I didn't think HTTPS solved the security problem for GET; it also means the tokens will most likely end up in your web logs, which may be the least of your problems if the logs are compromised but worth noting.
  • Johnny Z
    Johnny Z over 9 years
    Downvoting.. Passing tokens in query string is not secure.
  • wezten
    wezten about 9 years
    @KristoferKallsbo The querystring is encrypted - stackoverflow.com/a/2629241/428724.
  • Jon-Eric
    Jon-Eric about 9 years
    @KristoferKallsbo, I think you've misunderstood how HTTPS works. The request for the URL (including the query string) IS NOT sent in clear text. More info here: stackoverflow.com/q/323200/99377
  • mrded
    mrded over 8 years
    Be careful with "Authorization: <YOUR_ACCESS_TOKEN>" it may conflict with HTTP Basic access authentication.
  • gihanchanuka
    gihanchanuka over 8 years
    @wezten OAuth2 specification, itself doesn't recommend passing access_token via URLs and query parameters. See (last point|tools.ietf.org/html/draft-ietf-oauth-v2-bearer-16#sect‌​ion-4.3) >> " Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be passed in page URLs (for example as query string parameters)."
  • martinedwards
    martinedwards over 7 years
    prepending BEARER to the Authorization value solved my issue for the Timetastic API, thanks @zafeiris.m
  • Duncan Jones
    Duncan Jones about 5 years
    "These two are approaches that are generally supported by most APIs." > It would be nice to have a clear answer for Facebook. Does it support both methods or not?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is OAuth and how does it secure REST API calls?
HTTP basic authentication over SSL for REST API
http post - how to send Authorization header?
Place API key in Headers or URL
Angular HttpClient post not working
restful api authentication confusion with oauth2
flutter_web_auth doesn't redirect from WebView to the app after authorizing the access to my data in Flutter
HTTP Post oAuth 2 "Check the `grant_type` parameter"
In Flutter how I can fetch data inside a JASON with API and GetX
How to use nativeclient redirect URI when authenticating with Microsoft Azure?