Possible approach to secure a Rest API endpoints using Facebook OAuth

Question

I\'ve been reading a lot about the topic but all I find are obsolete or partial answers, which don\'t really help me that much and actually just confused me more. I\'m writi

Answer 1

I think the better solution would be this:

1. Login via Facebook
2. Pass the Facebook AccessToken to the server (over SSL for the android app, and for the web app just have it redirect to an API endpoint after FB login)
3. Check the fb_access_token given, make sure its valid. Get user_id,email and cross-reference this with existing users to see if its a new or old one.
4. Now, create a random, separate api_access_token that you give back to the webapp and android app. If you need Facebook for anything other than login, store that fb_access_token and in your DB associate it with the new api_access_token and your user_id.
5. For every call hereafter, send api_access_token to authenticate it. If you need the fb_access_token for getting more info, you can do so by retrieving it from the DB.

In summary: Whenever you can, avoid passing the fb_access_token. If the api_access_token is compromised, you have more control to see who the attacker is, what they're doing etc than if they were to get ahold of the fb_access_token. You also have more control over settings an expiration date, extending fb_access_tokens, etc

Just make sure whenever you pass a access_token of any sort via HTTP, use SSL.