问题
The OAuth 2.0 specification defines the Resource Owner Password Credentials Grant Type, which allows the resource owner password credentials (i.e. username and password) to be used directly as an authorization grant to obtain an access token.
I want to allow a user to 'login via Facebook' on the client instead of providing the credentials directly. The client could then exchange the user's Facebook access token for an access token for the authorization server. Does this scheme fit into the framework of OAuth2?
回答1:
The client could then exchange the user's Facebook access token for an access token for the authorization server.
Does it mean you have 2 Authorization servers (one of Facebook and another - your private one) in mind? If yes - you're abusing OAuth and should use Authorization Code Grant scheme instead.
On Figure 5 from OAuth 2.0 spec (v25) you can find workflow definition:
The resource owner provides the client with its username and password.
The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server.
The authorization server authenticates the client and validates the resource owner credentials, and if valid issues an access token.
This is a quote from Facebook http://developers.facebook.com/docs/guides/web/ :
In order to log the user into your site, three things need to happen. First, Facebook needs to authenticate the user. This ensures that the user is who they say they are. Second, Facebook needs to authenticate your website. This ensures that the user is giving their information to your site and not someone else. Lastly, the user must explicitly authorize your website to access their information. This ensures that the user knows exactly what data they are disclosing to your site.
In both places you have one and only one Authorization server - in your case - the Facebook.
来源:https://stackoverflow.com/questions/10456633/using-a-facebook-access-token-as-the-resource-owner-credentials-in-oauth2-0