HTML and CSS Reference
OAuth Developer Workflow
The developer workflow for implementing OAuth in an app is fairly straightforward:
Your app sends the user to the authorization endpoint , or uniform resource indicator
(URI), through which the API exposes an action, along with its credentials, its own
authorization endpoint, what permissions it requires, and a security token.
The authorization endpoint for the service asks the user to confirm that your app is
allowed to access the API on the user's behalf.
Assuming the user grants access, the service redirects the user back to your app's
authorization endpoint, along with authorization code and the security token from step 1.
Your app requests an access token from the service's token endpoint by sending the
authorization code received in step 3, plus its credentials and your app's authorization
The service authenticates your app, checks the authorization code, and sends back an
access token that can be used to access the user's data via the service's API.
Using a real service as an example, let's look at the actual endpoints used by Facebook's OAuth 2.0 2 implementation.
Building the Login Link
The first step for an app requesting access to a user's data is to direct the user to the service provider's authorization
endpoint. The endpoint URI to do this for Facebook is https://www.facebook.com/dialog/oauth , and the app has to
send its client_id , redirect_uri , scope , and state along with the request.
Assuming that users should be redirected to http://app.example.org/login.php after granting access to the
app, a login link for the app might look like this:
■ the value of client_id is a unique value provided by Facebook once you have registered your app. the
current value, YOUR_APP_ID , is a placeholder and should be replaced with your own app's credentials. don't worry about
registering your app just yet; we'll walk through that process later in this chapter during exercise A-1.
This example uses the GET method to send parameters to the endpoint. To make them easier to spot, they're
shown in bold.
client_id is the public identifier Facebook generates for the app after it is registered. It lets
Facebook know who requests access.
redirect_uri is the URI to which the user should be redirected after authorizing the app.
This URI is your app's authorization endpoint, where the app will process the data sent