This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

I am using third party authentication like login with facebook for my app. And I still want to use the Apigee's OAuth2 for my backend APIs. Is it advisable to do so?

Posted on 09-21-2016 02:49 AM
Not applicable
Reply posted on --/--/---- --:-- AM
 
0 4 1,765
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
rdeandrade
Staff
Reply posted on --/--/---- --:-- AM

Not only advisable but that is why there is the authorization code grant type in OAuth2.

This is a very common scenario in which a 3rd party ID provider validates the username, password and access level, while the OAuth token generator (in this case Apigee) dispenses the tokens after the 3rd party has validated the user.

Some more details can be found here: http://docs.apigee.com/api-services/content/oauth-v2-policy-authorization-code-grant-type

The client app will get redirected to the id provider and after that access has been granted apigee generates the token to be used in the APIs. The user only needs to login again once the token has expired and there are no more refresh tokens available (this time is configurable in your oauth proxies).

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to rdeandrade
Reply posted on --/--/---- --:-- AM

Thanks Ricardo!
In my use case I will be using facebook's OAuth 2 for user authentication, which will return me a token for accessing FB APIs and some user information. The token generated by Facebook is of no use to me as I cannot access my backend APIs with it. I was reading somewhere and I found Apigee does provide a way to store third party OAuth tokens which can be used for backend APIs authorization as well http://docs.apigee.com/api-services/content/use-third-party-oauth-system . In third party oauth tokens we have to use client credentials as grant type.

So which grant type is more suitable for this use case autorization_code or client_credentials?

0 Likes

Posted on --/--/---- --:-- AM
nmallesh
New Member
Reply posted on --/--/---- --:-- AM

Hi @vinita_dwivedi,

Authorization Code is considered to be the most secure grant type.

Before the authorization server (Apigee server) issues an access token, the app(your application) must first receive an authorization code from the resource server(Facebook server in your case).

Your application should redirect to the Facebook server's login page via User-Agent.

After successful log in, your application will receive an authorization code that it can use to negotiate an access token with the Apigee server.

Typically, this grant type is used when the app resides on a server rather than on the client. This grant type is considered highly secure because the client app never handles or sees the user's username or password for the resource server (Facebook credentials).

Hope this helps, thank you!

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to nmallesh
Reply posted on --/--/---- --:-- AM

@Nisha Mallesh

Thanks for your inputs!

I have to implement this for a mobile application. I am using android SDK provided by the identity service provider. I am getting the token from identity provider after authentication is complete. I can make an API call to token endpoint at Apigee after getting the identity of the user.

0 Likes