This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Need suggestions on integrating with Facebook/Google

Posted on 11-16-2016 02:38 AM
rajeevyes
New Member
Reply posted on --/--/---- --:-- AM

We have a requirement to integrate with Facebook and Google via Apigee Edge to fetch user profile. The flow is as follows:

User(via Browser) ---> Web application ---(oauth)--> Apigee ---(oauth)--> Facebook/Google.

What is the best way to implement Oauth for this scenario?

Should i ask web-application to perform 3-legged oauth with FB/Google directly(by passing Apigee) and provide Apigee with access token. Apigee to use that access token to fetch user profile details from Facebook and google?

Or Should Apigee handle the Oauth with FB and Google? If yes, how do i achieve it?

0 3 629
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
snehal_chakrabo
New Member
Reply posted on --/--/---- --:-- AM

Hi @Rajeev S

Since you are trying to implement a 3 legged oauth flow, i would recommend that you keep the token creation between the consumer app and FB/Google. Apigee should just handle the subsequent API calls to fetch profile, where in the created access token can be passed in the header. Also ensure there is some kind of authentication happening on apigee as well for the API calls for e.g. apikey verification.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

There are pros and cons to OAuth 2.0 grants and all of them can be implemented with Apigee. My two recommendations in your case are to explore Auth Code and Implicit Grant types:

  • Auth Code flow or 3-legged OAuth increases security but also complexity. Because it requires server-side to resolve auth code and maintain server-side sessions to truly keep access tokens outside of the user agent.
  • Implicit Grant Type. This is meant for Apps that run entirely on the client-side, hence the complexity of exchanging auth code for an access token is then removed. If you want to

My suggestion to you is to test both grant types. Spend a little time implementing both with demo apps. It's always better to understand them by implementing them first than than just going with a recommendation. It'd give you a better idea on what's more suitable for your users and your app. From security and usability perspective. Google and Facebook provide comprehensive online documentation on these topics.

Hope it helps!

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

You will not be able to find a clear answer to your question on the Internet, try asking about it from people who understand programming. It's just not one of the easiest things to do. I tried to do something similar, but due to the lack of a detailed explanation on the internet, I was unable to do it. I found an ad on Facebook about a programming company that was posted by Facebook Marketing Agency Sydney. When I turned to them with a similar request as you have, they did all. Pay attention to the ads on Facebook, maybe you will come across a service that suits you.

0 Likes